Lightweight Directory Access Protocol

This chapter describes how an ACOS device can use Lightweight Directory Access Protocol (LDAP), an AAA protocol, to authenticate administrators and authorize management access based on the account information on external LDAP servers.

You can use one of the following types of LDAP servers:

     OpenLDAP

     Microsoft Active Directory (AD)

Configuring LDAP for ACOS Administrators

To configure LDAP authentication and authorization for ACOS administrators:

1.     To enable LDAP authentication, enter the following command:

ACOS(config)# authentication type ldap local

 

2.     To add the LDAP server(s) to the ACOS configuration, enter the ldap-server host command. For example:

ACOS(config)# ldap-server host 192.168.4.0 cn cn dn example-dn-string port 638 ssl tim­eout 5

 

The following list provides additional information on the options:

     If you do not use SSL, the default port is 389. If you use SSL, the default port is 636.

     The default timeout value is 3.

3.     Prepare the LDAP server.

For more information, see the one of the following sections:

     Configuring an OpenLDAP Server

     Configuring Microsoft Active Directory

4.     Test the configuration by using an ACOS administrator account to log in to the LDAP server.

Configuring an LDAP Server

You can configure an LDAP server by using the GUI or the CLI.

Configuring an LDAP Server by Using the GUI

To configure an LDAP server on the ACOS device:

1.     Navigate to the System >> Admin >> Users page.

2.     Click External Authentication and select LDAP from the drop-down list.

3.     Click Create.

4.     Select one of the following LDAP types:

     Name

     IPv4

     IPv6

5.     Complete one of following tasks:

If you selected Name, complete the following steps:

a.     Enter a name.

b.     Enter a common name.

c.     Enter a distinguished name.

Do not use quotation marks for the distinguished names. For example:

     The string syntax cn=xxx3,dc=mACOScrc,dc=com DN string syntax is valid.

     The string “cn=xxx3,dc=mACOScrc,dc=com” is not valid.

To use nested OUs, specify the nested OU first, then the root.

d.     Enter a port.

e.     Enter a timeout value.

The Timeout field displays the maximum number of seconds that the ACOS device waits for a reply from the LDAP server for a given request. You can specify 1-60 seconds. If the LDAP server does not reply before the timeout, authentication of the admin fails.

f.       Determine whether you want to enable or disable SSL.

g.     Click Create.

If you selected IPv4, complete the following steps:

a.     Enter a host IP address.

b.     Enter a common name.

c.     Enter a distinguished name.

d.     Enter a port.

e.     Enter a timeout value.

The Timeout field displays the maximum number of seconds that the ACOS device waits for a reply from the LDAP server for a given request. You can specify 1-60 seconds. If the LDAP server does not reply before the timeout, authentication of the admin fails.

f.       Determine whether you want to enable or disable SSL.

g.     Click Create.

If you selected IPv6, complete the following steps:

a.     Enter a host IPv6 IP address.

b.     Enter a common name.

c.     Enter a distinguished name.

d.     Enter a port.

e.     Enter a timeout value.

the Timeout field to configure the maximum number of seconds the ACOS device waits for a reply from the LDAP server for a given request. You can specify 1-60 seconds. If the LDAP server does not reply before the timeout, authentication of the admin fails.

f.       Determine whether you want to enable or disable SSL.

g.     Click Create.

 

Configuring an LDAP Server by Using the CLI

To enable LDAP authentication, enter the following command at the global configuration level of the CLI:

ACOS(config)# authentication type ldap

     To use backup methods, specify the methods in the order in which you want to use them. For more information, see Multiple Authentication Methods and Tiered Authentication.

For example:

ACOS(config)# authentication type ldap local radius tacplus

     To configure an LDAP server on the ACOS device, use the ldap-server host command at the global configuration level of the CLI:

ACOS(config)# ldap-server host 192.168.101.24 cn UserName dn cn=UserName,dc=UserAc­count,dc=example,dc=com

Do not use quotation marks for the dn option. For example, the following DN string syntax is valid:

cn=xxx3,dc=mACOScrc,dc=com

The following string is not valid:

“cn=xxx3,dc=mACOScrc,dc=com”

Spaces are not allowed in the dn specification.

     To configure the ACOS device and provide LDAP AAA for UserAccUser1, enter a command like the following:

ACOS(config)# ldap-server host ldapserver.ad.example.edu cn ExampleUser dn
ou=StaffElevatedAccounts,ou=ServiceAccounts,dc=ad,dc=example,dc=edu

To use nested OUs, specify the nested OU first, then the root. For example, a user account could be nested in the follow­ing way:

Root OU= Service Accounts -> OU=StaffElevatedAccounts -> UserAccUser1

 

For more information about these commands, see the Command Line Interface Reference.

Configuring an OpenLDAP Server

When logging in to the ACOS device via LDAP, the ACOS devices needs to send LDAP packets to LDAP server (for example, OpenLDAP or Windows AD). OpenLDAP can be installed on Windows or Linux.

To configure an OpenLDAP server and provide authentication and authorization for ACOS administrators:

1.     Add the A10 schema file by copying the file and pasting it in the following location:

openldap_install_directory\schema

For example, on your server, the location might be C:\Program Files\OpenLDAP\schema.

For more information, see A10 Schema File for OpenLDAP.

2.     Add the administrator accounts.

For more information, see A10 Administrator Account Files for LDAP.

3.     Restart the LDAP service.

A10 Schema File for OpenLDAP

The following text is an example of the schema file that is required on the OpenLDAP server to provide authentication and authorization to ACOS administrators:

 

# all a10 LDAP OID be placed in 1.3.6.1.4.1.22610.300.

# all attributetype start from 1.3.6.1.4.1.22610.300.1.

# all objectclass start from 1.3.6.1.4.1.22610.300.2.

 

attributetype ( 1.3.6.1.4.1.22610.300.1.1

   NAME 'A10AdminRole'

   DESC 'admin Role'

  syntax 1.3.6.1.4.1.1466.115.121.1.15

  SINGLE-VALUE )

   

attributetype ( 1.3.6.1.4.1.22610.300.1.2

   NAME 'A10AdminPartition'

   DESC 'admin Partition'

  EQUALITY caseIgnoreMatch

   SUBSTR caseIgnoreSubstringsMatch

  syntax 1.3.6.1.4.1.1466.115.121.1.15  )

   

attributetype ( 1.3.6.1.4.1.22610.300.1.3

   NAME 'A10AccessType'

   DESC 'admin Access Type'

  syntax 1.3.6.1.4.1.1466.115.121.1.15

  SINGLE-VALUE )

   

objectclass ( 1.3.6.1.4.1.22610.300.2.1

   NAME 'A10Admin' SUP top AUXILIARY

   DESC 'A10 Admin object class '

  MAY ( A10AdminRole $ A10AdminPartition $ A10AccessType ) )

 

The LDAP schema file for ACOS administrator authentication and authorization contains the following items:

     A10Admin – This is the object class for A10 Networks, and can contain one or more of the following attribute types. You can specify the values to assign to these attributes in the definition file for the administrator. (See A10 Administrator Account Files for LDAP.)

     A10AdminRole – This attribute type specifies the administrator’s role, which defines the scope of read-write opera­tions the administrator is allowed to perform on the ACOS device. The ACOS device has the following predefined roles:

     ReadOnlyAdmin

     ReadWriteAdmin

     PartitionSlbServiceOperator

     PartitionReadOnly

     PartitionReadWrite

To specify one of these roles in the definition file for the administrator account, use the role name as the attribute value. For example:

A10AdminRole: ReadWriteAdmin

 

If you do not use this attribute in the definition file for the administrator account, the ReadOnlyAdmin role is assigned to the administrator.

     A10AdminPartition – This attribute type specifies the ACOS partition the administrator is authorized to log onto.

     For the shared partition, enter “shared”. For example:

A10AdminPartition: shared

     For an L3V partition, enter the partition name. For example:

A10AdminPartition: privpart1

If you do not use this attribute in the definition file for the administrator account, the administrator is allowed to log into the shared partition.

     A10AccessType – This attribute type specifies the user interface(s) the administrator authorized to use. You can spec­ify one or more of the following:

     cli – CLI

     web – GUI

     axapi – aXAPI

If you do not use this attribute in the definition file for the administrator account, the admin is allowed to log in though any of these interfaces.

A10 Administrator Account Files for LDAP

Administrator accounts managed by an LDAP server are stored in files on the server.

The following text is an example of how to create an LDAP user:

dn: cn=user1,dc=my-domain,dc=com

cn: user1

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: A10Admin

userPassword: 123456

sn: sn

ou: guest

A10AdminRole: ReadWriteAdmin

 

This file configures admin “user1”. The objectClass value A10Admin and the A10AdminRole attribute are specific to A10 Net­works and are defined in the schema file, which also must be added to the LDAP server.

In this example, the A10AdminPartition and A10AccessType attributes are omitted. The default values are used. (See A10 Schema File for OpenLDAP.)

Configuring Microsoft Active Directory

You can configure Microsoft Active Directory for LDAP authentication and authorization of ACOS administrators. When the user logs into the ACOS device, the device sends the user name and password to Active Directory to validate the credentials.

NOTE:                               The information in this section is based on Windows Server 2008.

Summary:

1.     Install Active Directory on your Windows server.

For more information, see http://technet.microsoft.com/en-us/library/jj574166.aspx.

2.     Configure the administrator accounts.

For more information, see Configure ACOS Administrator Accounts.

3.     Add a user name and password to Active Directory.

For more information, see http://technet.microsoft.com/en-us/library/dd894463(v=WS.10).aspx.

4.     (Optional) Add the A10 LDAP attribute types to the server. See Adding A10 LDAP Attribute Types.

NOTE:                               If you plan to use the default settings for all the A10 attributes, you can skip this step.

Configure ACOS Administrator Accounts

This section describes how to configure an administrator account.

     Creating a Read-Only Administrator

     Testing the Read-Only Administrator Account

     Configuring a Read-Write Administrator

     Testing the Read-Write Administrator Account

Creating a Read-Only Administrator

To create an administrator with the ReadOnlyAdmin role:

1.     Go to the Active Directory Users and Computers.

2.     Click File > New.

3.     Complete the following steps in the New Object - User window:

a.     Enter a first name.

b.     Enter a last name.

c.     Enter a full name.

d.     Enter a user logon name.

e.     Select the domain.

f.       If applicable, enter the pre-Windows 2000 logon name.

g.     Click Next.

4.     Select User Account in the left pane to see the user that you just created displayed in the right pane.

FIGURE 6            

read-only-admin-4.PNG

Creating a Read-Only Administrator

Testing the Read-Only Administrator Account

Here is the LDAP server configuration on the ACOS device:

ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

!

authentication type ldap

!

Here is an example of the session login by the read-only admin. Access to the configuration level by this admin is not allowed.

[root@Linux-PC-148 ~]#ssh -l test 192.168.100.46

Password:

Last login: Thu Jun 21 13:05:51 2012 from 192.168.100.148

 

ACOS system is ready now.

 

[type ? for help]

 

ACOS>

ACOS>enable

Password: <blank>

ACOS#show admin session

 Id    User Name   Start Time                    Source IP        Type Partition Authen  Role            Cfg  

------------------------------------------------------------------------------------------

*99    test        13:08:10 CST Thu Jun 21 2012  192.168.100.148  CLI            Ldap    ReadOnlyAdmin   No

ACOS#config

         ^

% Unrecognized command.Invalid input detected at '^' marker.

 

ACOS#

Configuring a Read-Write Administrator

In this example, the ou attribute is set to operator.

To configure a read-write administrator with a ReadWriteAdmin role:

1.     Go to Active Directory Users and Computers.

2.     Right-click User Account, and in the right-pane, select a user name.

3.     Right-click on the user name and select Properties.

4.     On the Attribute Editor tab, click ou, and click Edit.

5.     In the Multi-value String Editor, in Value to add, enter Operator.

6.     Click OK.

FIGURE 7            

read-write-admin-4.PNG

Multi-valued String Editor

Testing the Read-Write Administrator Account

Here is the LDAP server configuration on the ACOS device:

ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

!

authentication type ldap

!

Here is an example of the session login by the read-write administrator:

NOTE:                               This administrator is allowed to access the configuration level.

[root@Linux-PC-148 ~]#ssh -l test 192.168.100.46

Password:

Last login: Thu Jun 21 13:08:10 2012 from 192.168.100.148

 

ACOS system is ready now.

 

[type ? for help]

 

ACOS>enable

Password: <blank>

ACOS#show admin session

 Id    User Name   Start Time                    Source IP        Type Partition Authen  Role            Cfg  

------------------------------------------------------------------------------------------

*101   test        13:22:16 CST Thu Jun 21 2012  192.168.100.148  CLI            Ldap    ReadWriteAdmin  No   

ACOS# config

ACOS(config)#

A10 LDAP Object Class and Attribute Types

You can add A10 LDAP attribute types to the server.

NOTE:                               If you plan to use the default settings for all the A10 attributes, you can skip the rest of this section.

CAUTION:                     Please add the attributes carefully. Once they are added, they can not be changed or deleted.

The LDAP object class for A10 Networks is A10Admin, and can contain one or more of the following attribute types. You can specify the values to assign to these attributes in the definition file for the admin.

     A10AdminRole

This attribute type specifies the administrator’s role, which defines the scope of read-write operations that the adminis­trator is allowed to perform on the ACOS device.

The following predefined roles are included on the ACOS device:

     ReadOnlyAdmin

     ReadWriteAdmin

     PartitionReadWrite

     PartitionSlbServiceOperator

     PartitionReadOnly

Adding A10 LDAP Attribute Types

To specify one of these roles in the definition file for the administrator account, enter the role name as the attribute value.

For example, A10AdminRole: ReadWriteAdmin

If you do not use this attribute in the definition file for the administrator account, the ReadOnlyAdmin role is assigned to the administrator.

     A10AdminPartition specifies the ACOS partition that the administrator is authorized to access.

     For the shared partition, enter “shared”.

For example, A10AdminPartition: shared

     For an L3V partition, enter the partition name.

For example, A10AdminPartition: privpart1

If you do not use this attribute in the definition file for the administrator account, the administrator can log in to the shared partition.

     A10AccessType specifies the user interface(s) that the administrator authorized to use.

You can specify one or more of the following interfaces:

     cli 

     web

     axapi

If you do not use this attribute in the definition file for the administrator account, the administrator can log in though any of these interfaces.

Adding the Attribute Type by Using the GUI

In Windows, to add the attribute type:

1.     Click Start > All Programs > Accessories > Run.

2.     To start Microsoft Management Console, enter mmc.

3.     In the console, click File > Add/Remove Snap-In.

4.     In Add or Remove Snap-ins, select Active Directory Schema in the left pane and click Add.

5.     Click OK.

6.     In the Console, right-click the Attributes folder, and click New > Attribute.

FIGURE 8            Attribute Add Schema

attribute-add-schema.PNG

7.     In Create New Attribute, complete the fields, and click OK.

FIGURE 9            Creating a New Attribute

attribute-create-new-attribute.PNG

8.     In Console, right-click Classes, and click New > Class.

9.     Enter the appropriate information in the Identification and Inheritance and Type sections and click Next.

FIGURE 10         Creating a New Class

attribute-new-schema-class-1.PNG

10.  Enter the appropriate information in the Mandatory and Optional sections and click Finish.

attribute-new-schema-class-2.PNG

 

Adding “a10Admin” to the object Class

Figure 11 and Figure 12 change the object Class and add a10Admin to the objectClass. After this, all the attributes can be added to administrator test.

FIGURE 11         Adding admin test to the objectClass

test-properties-1.PNG

FIGURE 12         

test-properties-2.PNG

Editing the Values

Restarting the LDAP Process

To place the LDAP changes into effect, restart the LDAP process on the server. To access the process controls, under Adminis­trative Tools, select Services.

FIGURE 13         Restarting the LDAP Process - step 1

restart-ldap-1.PNG

 

FIGURE 14         

restart-ldap-2.PNG

Restarting the LDAP Process - step 2

Changing the Administrator Role (A10AdminRole)

Figure 15 and Figure 16 set the administrator role for administrator test to ReadWriteAdmin.

FIGURE 15         Changing the Administrator Role

change-admin-role-1.PNG

FIGURE 16         Clearing the ou Attribute

change-admin-role-2.PNG

Login Example

Here is a login example for an administrator:

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:

Last login: Thu Jun 21 13:22:16 2014 from 192.168.100.148

 

ACOS system is ready now.

 

[type ? for help]

 

ACOS> enable

Password: <blank>

ACOS#

ACOS# show admin session

 Id    User Name   Start Time                    Source IP        Type Partition Authen  Role            Cfg  

------------------------------------------------------------------------------------------

*106   test        14:15:13 CST Thu Jun 21 2014 192.168.100.148  CLI            Ldap    Read­WriteAdmin  No   

ACOS#

ACOS#config

ACOS(config)#

 

Adding L3V Partition Information (A10AdminPartition)

The following screen configures admin test as an L3V partition administrator and assigns the administrator to partition test1.

NOTE:                               The shared partition does to need to be added to the LDAP server. If the A10Admin­Partition attribute is not set, the admin is permitted to access the shared partition.

ACOS Configuration

Here is the partition configuration on the ACOS device:

ACOS# configure

ACOS(config)# partition test1 id 1

 

LDAP Server Configuration

Figure 17 sets the a10AdminPartition attribute to test1. This indicates that the admin can access the L3V partition called test1. The A10AdminRole attribute is set to PartitionReadWrite. This restricts the administrator to read-write operations in the L3V partition.

FIGURE 17         LDAP Server Configuration

ldap-server-config.PNG

Login Example

When administrator test logs in, the session opens in partition test1.

[root@Linux-PC-148 ~]# ssh -l test 192.168.100.46

Password:

Last login: Thu Jun 21 14:19:41 2012 from 192.168.3.196

 

ACOS system is ready now.

 

[type ? for help]

 

ACOS2500-1[test1]>

ACOS2500-1[test1]> enable

Password: <quick>

ACOS2500-1[test1]#

ACOS2500-1[test1]# config

ACOS2500-1[test1](config)# show admin session

 Id    User Name   Start Time                    Source IP        Type Partition Authen  Role            Cfg  

------------------------------------------------------------------------------------------

*108   test        14:22:51 CST Thu Jun 21 2012  192.168.100.148  CLI  test1     Ldap    PatitionReadWriteYes 

Changing the Access Type (A10AccessType)

Figure 18 sets the access type for the PartitionReadWrite administrator to web (GUI) and aXAPI. This configuration pro­hibits the administrator from logging in through the CLI.

FIGURE 18         

change-access-type.PNG

Changing the Access Type

Login Example

The example below shows what happens if the admin tries to log in through the CLI:

[root@Linux-PC-148 ~]# ssh -l test1 192.168.100.46

Password:***

Password:***

Couldn’t login via CLI, check the log message with admin/a10

ACOS2500-1# show log

Log Buffer: 30000

Jun 21 2012 14:30:42 Error   [SYSTEM]:The user, test1, from the remote host, 192.168.100.148, failed in the CLI authentication.

Jun 21 2012 14:30:42 Warning [SYSTEM]:Ldap authentication failed(user: test1): The user access interface is not authenticated.

Table of Contents

Index

Glossary

-Search-

Back