![]() |
LDAP authentication can be provided by either a Windows Active Directory server or a server running OpenLDAP.Perform the following procedures for configuring group authorization when a Windows Active Directory server is used for LDAP authentication.
1. On the server, install the tools from the Windows Administration Pack. The tools are found on the Windows server installation CD.
2.
3.
4. Click Console in the console window menu bar and select Add/Remove Snap-in.... The Add/Remove Snap-in window appears.
5. Click Add. The Add Standalone Snap-ins window appears.
6.
7.
8. Click Close.
9. Click OK in the Add/Remove Snap-in... window.
1. In the server’s console window, double click Active Directory Schema. The paths Classes and Attributes appear.
2. Double click Attributes and confirm that the info attribute is present.
3.
4.
5.
1. In the server’s console window, double click ADSI Edit.
2. From the menu, select Action-Connect to.... The Connection window appears.The path Domain NC<domain>.com appears.
4.
5. Double click DC=xxx,DC=xxx,DC=com.
6. Double click CN=Users. The expanded users list appears.
7. Right-click on the name of a user and select Properties. The CN=<username> Properties window appears.
9. In the Edit Attribute field, enter a group or groups in the form group_name=<Group1> [,<Group2,...,GroupN>]; then click OK.NOTE: To configure the user as an administrative user on the OnBoard appliance, add the admin group name to the definition.The info attribute must be added to the LDAP definition on the authentication server and users must be assigned groups using the info attribute.
1. objectclass (1.3.6.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description $ info) )NOTE: The slapd.conf file is normally located in: [Redhat] /etc/openldap or [bsd] /usr/local/etc/openldap.
5. Use the ldapadd command or the ldapmodify command, assigning groups using the info attibute. For each user, assign any desired groups in an info definition using the following syntax.
NOTE: To give a user administrative access to the OnBoard appliance, add the admin group name to the above definition.