Western Telematic AFS-16-1 manual Ldap Parameters

Basic Configuration

5.9.8.LDAP Parameters

The AFS-16 supports LDAP (Lightweight Directory Access Protocol,) which allows authentication via the "Active Directory" network Directory Service. When LDAP is enabled and properly configured, command access rights can be granted to new users without the need to define individual new accounts at each AFS-16 unit, and existing users can also be removed without the need to delete the account from each AFS-16 unit. This type of authentication also allows administrators to assign users

to LDAP groups, and then specify which circuits the members of each group will be allowed to control at each AFS-16 unit.

In order to apply the LDAP feature, you must first define User Names and associated Passwords and group membership via your LDAP server, and then access the AFS-16 command mode to enable and configure the LDAP settings and define port access rights and command access rights for each group that you have specified at the LDAP server. Note that in order to access the LDAP Parameters menu, you must login to AFS- 16 command mode using a password that permits Administrator level commands.

Notes:

•Circuit access rights are not defined at the LDAP server. They are defined via the LDAP Group configuration menu on each AFS-16 unit and are specific to that AFS-16 unit alone.

•When LDAP is enabled and properly configured, LDAP authentication will supersede any passwords and access rights that have been defined via the AFS-16 user directory.

•If no LDAP groups are defined on a given AFS-16 unit, then access rights will be determined as specified by the "default" LDAP group.

•The "default" LDAP group cannot be deleted.

The LDAP Parameters Menu allows the following parameters to be defined:

•Enable: Enables/disables LDAP authentication. (Default = Off.)

•Primary Host: Defines the IP address or domain name (up to 64 characters) for the primary LDAP server. (Default = undefined.)

•Secondary Host: Defines the IP address or domain name (up to 64 characters) for the secondary (fallback) LDAP server. (Default = undefined.)

•LDAP Port: Defines the port that will be used to communicate with the LDAP server. (Default = 389.)

•TLS/SSL: Enables/Disables TLS/SSL encryption. Note that when TLS/SSL encryption is enabled, the LDAP Port should be set to 636. (Default = Off.)

•Bind Type: Sets the LDAP bind request password type. Note that in the Text Interface, when the Bind Type is set to "Kerberos" LDAP, the menu will include an additional prompt (item 14) that is used to select Kerberos parameters as described in Section 5.9.8.5. In the Web Interface, the button which is used to access the Kerberos Parameters menu is located at the bottom of the LDAP Parameters Menu. (Default = Simple.)

•Search Bind DN: Selects the user name who is allowed to search the LDAP directory. (Default = undefined.)

5-35