LDAP and AD integration makes centralized user and access management easy.
3.6.12.1. Specifications and Group list
To avoid conflict with internal LB users/groups, the EOS will:
- Automatically increment UID by 2000 to avoid conflict with local user (therefore the UID max limit in the LDAP database is 63000).
- Automatically increment GID by 2000 to avoid conflict with local groups (therefore the UID max limit in the LDAP database is 63000).
- HomeDirectory and LoginShell will be overwritten (during connection attempts) with the proper values.
- Group with a wrong name definition will not be recognized and ignored.
- “mgmt” and “enable” user names are not authorized to be used in LDAP / AD and so will be ignored.
- “eos_geolink” and “eos_failover” group names are not authorized to be used in LDAP / AD and so will be ignored.
- Home directory of LDAP users will be created with the username_uid.
- Password types supported are crypt and md5crypt. (AD automatically uses crypt).
NOTE: At the moment, the commands regarding LDAP and AD are not replicated in the FOVE module.
You will need to create the Elfiq groups in your directory server configuration. Here are the Elfiq groups and a small explanation. In the next section you will see an example on how to configure those groups.
eos_read Members of this group will be able to consult the stats and the logs without making changes to the configuration or confidential information in the configuration.
eos_eosupdate Members of this group are able to update the EOS firmware and use its associated wizard and settings.
eos_enable Members of this group can change the configuration of the Elfiq.
eos_diagnostic Members of this group can access certain commands associated to the troubleshooting of the Elfiq.
eos_reload Members of this group can reload the Elfiq.
NOTE: Other Elfiq groups are not pertinent to the LDAP/AD server configuration.
WARNING: User names and group names are case sensitive.
3.6.12.2. Lightweight Directory Access Protocol (LDAP)
LDAP is an application protocol for directories which is detailed in RFC 4510. The Link LB supports this for user
management. LDAP administrators have to create posixGroup entries in its LDAP server (group schema). In each group entry, users are added with their unique “memberUid”. This feature eases user access to the Link LB while requiring some configuration on the server end.
3.6.12.3. Active Directory (AD)
Supported version: Microsoft Server 2003/2003 R2/2008/2008 R2
Active Directory is based on LDAP protocol but some attributes are Windows specific. Therefore the Elfiq LB needs to know when it is required to communicate with AD. The Elfiq LB will ask the server for AD specific attributes. On the Windows server, the administrator has to install the SFU (Microsoft's Services for Unix ). Windows Services for UNIX version 3.0 and up is recommended based on your Windows server version. In the latest version of Windows server 2008, it can be called Subsystem for UNIX-based Applications (SUA). When installing SFU/SUA in active directory, the domain administrator will need to configure the UID, GID, Groups, home directory* and login shell* per user (*not required ).
3.6.12.4. LDAP Server configuration example
The following lines show an example of how to configure a PosixGroup entry:
Example of an organisation unit (OU), here it is elfiq.com.
dn: ou=Group,dc=elfiq,dc=com ou: Group
objectClass: organizationalUnit objectClass: top
Example of the group you need to create libpam with its associated users. The usernames are fictional.
dn: cn=eos_read,ou=Group,dc=elfiq,dc=com dn: cn=eos_enable,ou=Group,dc=elfiq,dc=com
cn: eos_read cn: eos_enable
objectClass: posixGroup objectClass: posixGroup
objectClass: top objectClass: top
gidNumber: 5000 gidNumber: 5002
memberUid: alice memberUid: bob
dn: cn=eos_diagnostic,ou=Group,dc=elfiq,dc=com dn: cn=eos_update,ou=Group,dc=elfiq,dc=com
cn: eos_diagnostic cn: eos_update
objectClass: posixGroup objectClass: posixGroup
objectClass: top objectClass: top
gidNumber: 5001 gidNumber: 5003
memberUid: roger memberUid: celine
dn: cn=eos_reload,ou=Group,dc=elfiq,dc=com cn: eos_reload
objectClass: posixGroup objectClass: top gidNumber: 5005 memberUid: steve
The LDAP administrators also have to create posixAccount (people schema) entries in its LDAP server.
Exemple of a LDAP posixAccount entry:
Here is the People entry definition for elfiq.com dn: ou=People,dc=elfiq,dc=com
ou: People
objectClass: organizationalUnit objectClass: top
Here is the user creation example:
dn: cn=eos_read,ou=People,dc=elfiq,dc=com cn: eos_read
objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson givenName: Alice
sn: Alice uid: Alice uidNumber: 2000 gidNumber: 2000
homeDirectory: /tmp/home/Alice loginShell: /bin/bash
3.6.12.5. Commands
The following commands are used to configure the Link LB with regards to LDAP and AD.
Show the authentication order
sh auth
Reset the authentication order to the default value: local
clr auth
Set the addresses of the LDAP servers.
ldap server [ipserver1[,ipserver2]]
LinkLB-enable:system [single] #ldap server 10.0.30.252,10.0.30.253
Set the port number of the LDAP server. This command is optional; if no port is specified and SSL encryption is selected, port 636 is used. Otherwise, port 389 is used.
ldap port [number]
LinkLB-enable:system [single] #ldap port 389
Set the LDAP binding user in distinguished name format. The binding user should have read access to base user and basegroup in the LDAP scheme.
ldap rootdn [rootdn]
LinkLB-enable:system [single] #ldap rootdn cn=admin,ou=managers,dc=mydomain,dc=com
Set the password of the binding user.
ldap secret [password]
LinkLB-enable:system [single] #ldap secret 1234
Set the path in distinguished name format to the container where EOS groups will be searched. This is an optional command.
ldap basegroup [basegroup]
LinkLB-enable:system [single] #ldap basegroup ou=eos_groups,ou=support,ou=it,dc=mydomain,dc=com
Set the path in distinguished name format to the container where EOS users will be searched. This is an optional command.
ldap baseuser [baseuser]
LinkLB-enable:system [single] #ldap baseuser ou=eos_users,ou=support,ou=it,dc=mydomain,dc=com
Set the encryption mechanism to communicate with the server. This is an optional command. If no encryption is specified, tls is used by default.
ldap encryption [encryption]
LinkLB-enable:system [single] #ldap encryption ssl LinkLB-enable:system [single] #ldap encryption tls LinkLB-enable:system [single] #ldap encryption none
Activates LDAP authentication.
ldap enable
Deactivates LDAP authentication.
ldap disable
Display LDAP configuration.
sh ldap server
Set the addresses of the Active Directory servers.
ad server [ipserver1[,ipserver2]]
LinkLB-enable:system [single] #ad server 10.0.30.252,10.0.30.253
Set the port number of the Active Directory server. This command is optional; if no port is specified and ssl encryption is selected, port 636 is used. Otherwise, port 389 is used.
ad port [number]
LinkLB-enable:system [single] #ad port 389
Set the LDAP binding user in canonical name format. The binding user should have read access to baseuser and basegroup in the Active Directory scheme.
ad user [user]
LinkLB-enable:system [single] #ad user [email protected]
Set the password of the binding user.
ad secret [password]
LinkLB-enable:system [single] #ad password 1234
Set the path in canonical name format to the container where EOS groups will be searched. This is an optional command.
ad basegroup [basegroup]
LinkLB-enable:system [single] #ad basegroup it/support/eos_groups
Set the path in distinguished name format to the container where EOS users will be searched. This is an optional command.
ad baseuser [baseuser]
LinkLB-enable:system [single] #ad baseuser it/support/eos_users
Set the encryption mechanism to communicate with the server. This is an optional command. If no encryption is specified, tls is used by default.
ad encryption [encryption]
LinkLB-enable:system [single] #ad encryption ssl LinkLB-enable:system [single] #ad encryption tls LinkLB-enable:system [single] #ad encryption none
Activates Active Directory authentication.
ad enable
Deactivates Active Directory authentication.
ad disable
Display Active Directory configuration.