Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)
112 Fabric OS Administrator’s Guide
53-1002148-02
The authentication model using RADIUS and LDAP
5
• You can use the User-Principal-Name and not the Common-Name for AD LDAP authentication.
To provide backward compatibility, authentication based on the Common Name is still
supported for Active Directory LDAP 2000 and 2003. Common Name based-authentication is
not recommended for new installations.
• A user can belong to multiple groups as long as one of the groups is the primary group. The
primary group in the AD server should not be set to the group corresponding to the switch role.
You can choose any other group.
• A user can be part of any Organizational Unit (OU).
• Active Directory LDAP 2000, 2003, and 2008 is supported.
Roles for Brocade-specific users can be added through the Microsoft Management Console.
Groups created in Active Directory must correspond directly to the RBAC user roles on the switch.
Role assignments can be achieved by including the user in the respective group. A user can be
assigned to multiple groups like Switch Admin and Security Admin. For LDAP servers, you can use
the ldapCfg
-–maprole ldap_role_name switch_role command to map an LDAP server permissions
to one of the default roles available on a switch. For more information on RBAC roles, see
“Role-Based Access Control” on page 84.
NOTE
All instructions involving Microsoft Active Directory can be obtained from www.microsoft.com or your
Microsoft documentation. Confer with your system or network administrator prior to configuration
for any special needs your network environment may have.
Following is the overview of the process used to set up LDAP:
1. If your Windows Active Directory server for LDAP needs to be verified by the LDAP client (that is,
the Brocade switch), then you must install a Certificate Authority (CA) certificate on the
Windows Active Directory server for LDAP.
Follow Microsoft instructions for generating and installing CA certificates on a Windows server.
2. Create a user in Microsoft Active Directory server.
For instructions on how to create a user, refer to www.microsoft.com or Microsoft
documentation to create a user in your Active Directory.
3. Create a group name that uses the switch’s role name so that the Active Directory group’s
name is the same as the switch’s role name.
or
Use the ldapCfg -–maprole ldap_role_name switch_role command to map an LDAP server role
to one of the default roles available on the switch.
4. Associate the user to the group by adding the user to the group.
For instructions on how to create a user refer to www.microsoft.com or Microsoft
documentation to create a user in your Active Directory.
5. Add the user’s Administrative Domains or Virtual Fabrics to the CN_list by either editing the
adminDescription value or adding the brcdAdVfData attribute to the existing Active Directory
schema.
This action maps the Admin Domains or Virtual Fabrics to the user name. Multiple Admin
Domains can be added as a string value separated by the underscore character ( _ ). Virtual
Fabrics are added as a string value separate by a colon ( , ) and entered as a range.