Deployment Guide

ManualsBrandsDell ManualsserversDell Brocade 6520

161

162

163

164

165

166

167

168

169

170

1. If your Windows Active Directory server for LDAP needs to be verified by the LDAP client (that is, the

Brocade switch), then you must install a Certificate Authority (CA) certificate on the Windows Active

Directory server for LDAP.

Follow Microsoft instructions for generating and installing CA certificates on a Windows server.

2. Create a user in Microsoft Active Directory server.

For instructions on how to create a user, refer to www.microsoft.com or Microsoft documentation to

create a user in your Active Directory.

3. Create a group name that uses the switch’s role name so that the Active Directory group’s name is

the same as the switch’s role name.

Use the ldapCfg --maprole ldap_role_name switch_role command to map an LDAP server role to

one of the default roles available on the switch.

4. Associate the user to the group by adding the user to the group.

5. Add the user’s Administrative Domains or Virtual Fabrics to the CN_list by either editing the

adminDescription value or adding the brcdAdVfData attribute to the existing Active Directory

schema.

This action maps the Admin Domains or Virtual Fabrics to the user name. Multiple Admin Domains

can be added as a string value separated by the underscore character ( _ ). Virtual Fabrics are

added as a string value separate by a comma ( , ) and entered as a range.

Creating a user

To create a user in Active Directory, refer to www.microsoft.com or Microsoft documentation. There are

no special attributes to set. You can use a fully qualified name for logging in; for example, you can log in

as "user@domain.com".

Creating a group

To create a group in Active Directory, refer to www.microsoft.com or Microsoft documentation. You

must verify that the group has the following attributes:

• The name of the group must match the RBAC role.

• The Group Type must be Security.

• The Group Scope must be Global.

• The primary group in the AD server should not be set to the group corresponding to the switch role.

You can choose any other group.

• If the user you created is not a member of the Users OU, then the User Principal Name, in the format

of "user@domain", is required to log in.

Assigning the group (role) to the user

To assign the user to a group in Active Directory, refer to www.microsoft.com or Microsoft

documentation. If you have a user-defined group, use the ldapCfg --maprole command to map LDAP

server permissions to one of the default roles available on a switch. Alternatively, update thememberOf

field with the login permissions (root, admin, switchAdmin, user, and so on) that the user must use to

Adding an Admin Domain or Virtual Fabric list

1. From the Windows Start menu, select Programs > Administrative Tools > ADSI.msc.

Creating a user

Fabric OS Administrators Guide 161

53-1003130-01