Commands for LDAP

5.1 authentication line

Command: authentication line {console | vty | web} login {local | radius | tacacs | ldap}
no authentication line {console | vty | web} login
Function: This command is used to configure the verification methods and selection priority of VTY (Telnet and SSH login methods), Web, and Console methods for user login. Console, VTY, and Web login can configure the corresponding login verification methods, respectively. Their verification methods can be selected with any combination of Local, RADIUS, tacacs, and LDAP. The no command recovers the configuration.
Parameters:

  • console, vty, and web: Login to the AC must occur through Console, VTY (which includes Telnet & SSH) and/or Web.
  • local, radius, tacacs and ladp: verification methods for logging in.

Command mode: Global Mode
Default: No verification for Console and the local verification for VTY and Web.
Usage guide: When adopting a combination verification method, the priority of the first method is the highest and in descending order. If the method with higher priority passes, it allows the user to login and ignores the following methods.
Note: As long as one verification method passes, it will not try the next verification method. The
exception is when the highest verification method fails, the next method will be tried. If the next method fails, it will try alternate methods in descending order of priority. When using LDAP
authentication, the LDAP server must be configured. If configured locally, the Console method can be used to logon to the AC directly if the local users are not configured.
Example: Configure LDAP method to authenticate when using VTY login method.

active500EM(config)#authentication line vty login ldap

 

5.2 debug ldap error

Command: debug ldap error
no debug ldap error
Function: In LDAP module, print error information, including the error position and relevant parameters.
Parameters: None.
Command mode: Admin Mode
Default: Do not print.
Usage guide: In LDAP module, if there are code errors, the program will print the position of the error code and the relevant information.
Example: Enable LDAP printing error.

active500EM#debug ldap error

 

5.3 debug ldap packet

Command: debug ldap packet {send | receive | all}
no debug ldap packet {send | receive | all}
Function: Enable debugging of receiving and sending packets of the LDAP module; print the received, sent packets, and bidirectional packets in the AC and LDAP communication. The no command disables the debug on-off.
Parameters: None.
Command mode: Admin Mode
Default: Disabled.
Usage guide: Enable debugging LDAP packet send on-off; the AC will print the data packets from the AC to the LDAP server. Enable debugging of the LDAP packet; the AC will print the data packets of the LDAP receiving server. Enable debugging of LDAP packets; the AC will print the bidirectional data packets in communication with the LDAP server.
Example: Enable debug ldap packet.

active500EM#debug ldap packet all

 

5.4 debug ldap trace

Command: debug ldap trace
no debug ldap trace
Function: Enable code trace debug of the ldap module. This debug mainly prints the code conducting LDAP module processes, such as process branch and current position.
Parameters: None.
Command mode: Admin Mode
Default: Do not print.
Usage guide: Print the code trace.
Example: Enable code trace debug of the LDAP module.

active500EM#debug ldap trace

 

5.5 ldap-server <server-index>

Command: ldap-server <server-index>
no ldap-server <server-index>
Function: Configure the LDAP server when authentication portal user adopts LDAP authentication. The no command deletes this configuration. The authentication requisition of the portal user will be sent to all configured LDAP servers successively until the LDAP server returns the clear authentication result (received or refused).
Parameters:

  • <server-index>: the index of the server instance; the range is 1 to 8.

Command mode: Captive Portal Instance Mode
Default: Adopt all configured LDAP servers to authenticate.
Usage guide: When the portal user adopts LDAP authentication, the username adopts this server. Each instance of the portal only can bind to one LDAP server. If the portal instance has bound to the LDAP authentication server, enabling this command will modify the LDAP server bound to the portal instance.
Example: Configure the LDAP authentication server of the captive portal instance 1 as LDAP server 1.

active500EM(config)#captive-portal
active500EM(config-cp)#configuration 1
active500EM(config-cp-instance)#ldap server 1

 

5.6 ldap server authentication-method

Command: ldap server <server-index> authentication-method {anonymous | authenticated username <username> password <password>}
Function: This command is used to configure and bind authentication method when username and password are required.
Parameters:

  • <server-index>: the LDAP server instance index; range is 1 to 8. System supports a max of 8 LDAP server instances.
  • anonymous: anonymous authentication.
  • authenticated: simple authentication.
  • <username>: administrator DN of LDAP server and the length is no more than 64.
  • <password>: administrator password; the length is no more than 32; these two parameters are used to create simple binding relationships between the AC and the LDAP server to achieve the inquiry permission of Base DN.

Command mode: Global Mode
Default: Anonymous authentication.
Usage guide: This command is used to configure the authentication method of the LDAP server. If the current server does not exist, it will show the error prompt. Otherwise, configure the authentication method of this server instance. If the server instance is in a dead state, modifying the authentication method of the server instance will change the state of this instance from dead to not dead.
Example: Configure the authentication method of LDAP server 1 as simple authentication, username is root, password is 123456.

active500EM(config)#ldap server 1 authentication-method authenticated username root password 123456

 

5.7 ldap server ipv4-address

Command: ldap server <server-index> ipv4-address <ipv4-address> {port <port-num>|} user-base-dn <base-dn> user-attr <user-attr> {user-type <user-type>|}
no ldap server <server-index>
Function: This command is used to create an LDAP server instance. The no command deletes it.
Parameters:

  • <server-index>: server instance index; range is 1 to 8. System supports 8 LDAP server instances max.
  • <ipv4-address>: an effective server IP address; a string made up of points.
  • <port-num>: server port number; range is 0 to 65535. It should be configured according to LDAP service port on server; the default configuration is 389. IP address and port together can make AC and LDAP create connection.
  • <base-dn>: used in inquiry process to appoint the start position of inquiry; we can inquire in all subtitles under base-dn. The length of <base-dn> is no more than 64 characters.
  • <user-attr>: used to appoint the property type that the authentication user belongs to.
  • <user-type>: used to appoint the type that the authentication user belongs to.
  • The authentication user DN can be queried according to the authentication username. <user-attr> and <user-type> are both no more than 32 characters.

Command mode: Global Mode
Default: None.
Usage guide: If this server instance does not exist, this command is used to create an LDAP server instance. Using this command can configure or modify the parameters of LDAP server instance, such as the server address, port, Base DN, user property, and type. If this server instance exists, the configuration of the current server instance will be modified. Modifying the IP address or port of a server instance which has been dead, will change the state from dead to not dead. After modifying the server instance successfully, all authentication requisitions will adopt the new configuration.
Example: Create the LDAP server instance, index is 1, IP address is 192.168.1.50, port is 389, user-base-dn is dc=internet dc=com, user-attr=uid and user-type class.

active500EM(config)#ldap server 1 ipv4-address 192.168.1.50 port 389 user-base-dn dc=internet dc=com user-attr uid user-type class

 

5.8 ldap server search-filter

Command: ldap server <server-index> search-filter <search-filter>
no ldap server <server-index> search-filter
Function: This command is used to configure the additional filtration conditions in querying an LDAP server instance. The no command deletes the condition of the appointed LDAP server instance.
Parameters:

  • <server-index>: LDAP server instance index; range is 1 to 8. System supports 8 LDAP server instances max.
  • <search-filter>: the filtration condition supports 64 characters at max. This filtration condition and the existing filtration condition show the use of ?&?. This filtration condition includes the logic condition of &, |, and !, as shown below:
    • inetUserStatus=Active: only one condition.
    • !(inetUserStatus=Active): include the condition of ?non?.
    • &(inetUserStatus=Active)(qq=123456): include two conditions and they are the relationship of ?&?.
    • |(inetUserStatus=Active)(qq=123456): include two conditions and they are the relationship of ?|?.
    • &(&(property=value)( property=value))(|( property=value)( property=value)): include ?&?, ?|? and ?!?.

Command mode: Global Mode
Default: None.
Usage guide: Configure the filtration condition. When the LDAP client sends the inquiry requisition to the LDAP server, it will carry the filtration condition. If the range of the server-index is not between 1 and 8 and the server instance has not been created, or the length of the search-filter has exceeded the maximum length of 64, the configuration fails.
Example: Configure user filtration condition for LDAP server 1: inetUserStatus=Active) and (qq=123456).

active500EM(config)#ldap server 1 search-filter &(inetUserStatus=Active) (qq=123456)

 

5.9 ldap server timeout

Command: ldap server timeout <1~1000>
no ldap server timeout
Function: Configure the timeout of the LDAP server response.
Parameters:

  • <1-1000>: timeout of the LDAP server response; unit is seconds.

Command mode: Global Mode
Default: 3s.
Usage guide: This command is used to configure the timeout of the LDAP server response. When the AC sends a message to the LDAP server, and the response is not received in this identified time, the message is seen as having failed.
Example: Configure the timeout of the LDAP server response as 10s.

active500EM(config)#ldap server timeout 10

 

5.10 no debug ldap all

Command: no debug ldap all
Function: Disable all debug of the LDAP module.
Parameters: None.
Command mode: Admin
Default: None.
Usage guide: None.
Example: Disable all debug of the LDAP module.

active500EM#no debug ldap all

 

5.11 show ldap server status

Command: show ldap server status
Function: Display the relevant overview information of the current configured LDAP server.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Shows the total number of configured servers and the timeout status.
Example: Shows the relevant information of the current configured LDAP server.

active500EM#show ldap server status
index   ipv4-address      port    authentication-method
------- ----------------- ------- ---------------------
1       192.168.1.20      389     anonymous
2       192.168.1.30      389     authenticated
3       192.168.1.40      389     anonymous
4       192.168.1.50      389     authenticated
Config 4 ldap servers.
Server timeout is 3 second.
Parameters Explanation
index LDAP server instance index (1~8)
ipv4-address LDAP server IP address
port LDAP server port
authentication-method Authentication method of the LDAP server

 

5.12 show ldap server <server-index> status

Command: show ldap server <server-index> status
Function: Displays the relevant detailed information of a specified configured LDAP server.
Parameters:

  • <server-index>: LDAP server index; range <1-8>.

Command mode: Admin Mode
Default: None.
Usage guide: Displays the detailed information of a specified LDAP server with server index range of 1 – 8.
Example: Display the format of the LDAP server instance with simple binding:

active500EM#show ldap server 1 status
index.......................................... 1
ipv4-address................................... 192.168.1.10
port........................................... 389
user-base-dn................................... dc=icc;dc=com
user-attr...................................... cn
user-type...................................... organizationalPerson
authentication-method.......................... authenticated
username....................................... ricky
password....................................... 123456
search-filter.................................. inetUserStatus=Active

Display the format of the LDAP server instance with anonymous binding:

active500EM#show ldap server 2 status
index.......................................... 2
ipv4-address................................... 192.168.1.20
port........................................... 389
user-base-dn................................... dc=icc;dc=com
user-attr...................................... cn
user-type...................................... organizationalPerson
authentication-method.......................... anonymous
search-filter.................................. inetUserStatus=Active
Parameters Explanation
index LDAP server instance index (1~8).
ipv4-address LDAP server IP address.
port LDAP server port.
user-base-dn users? base DN found by the LDAP server.
user-attr the property that users on the LDAP server belong to.
user-type the type that users on the LDAP server belong to (object class).
authentication-method binding method of the LDAP server.
username shows administrator DN of simple binding. Do not show this field for the anonymous binding.
password shows administrator password of simple binding. Do not show this field for the anonymous binding.
search-filter shows the additional filtration condition of configured user inquiry.

 

5.13 verification

Command: verification {ldap | radius}
Function: Configure the user authentication of the adopting portal user; it can be LDAP or radius.
Parameters:

  • ldap: the user verification method of the portal user is LDAP.
  • radius: the user verification method of the portal user is radius.

Command mode: Captive Portal Instance Mode
Default: Radius.
Usage guide: Set user verification method for the portal user. If it is radius, the username and password will be authenticated on the radius server. If it is LDAP, the user password will be authenticated on the LDAP server.
Example: Configure captive portal instance 1 to user LDAP authentication.

active500EM(config)#captive-portal
active500EM(config-cp)#configuration 1
active500EM(config-cp-instance)#verification ldap