LDAP

  1. documentation_old
  2. Mavis Modules
  3. LDAP

Menu

Contents

Configure LDAP (without TLS)

All examples of Windows configuration were made under Windows Server 2008 R2 Standard.

Create AD Group

Create AD Group

Create AD Group

By default tacacs daemon uses prefix tacacs to identify LDAP user group, that prefix will be stripped while authenticating. For example, we created group tacacsldap_main, in that case tacacs daemon will search the group named ldap_main, all other groups (without prefix) will be ignored. You can disable that or set another prefix in LDAP configuration section, but I recommend for the test use default settings.

Create AD User. Add user to the group.

Create AD User

Nothing special, it is just creating AD user.

Add user to the group

Nothing special, just user was applied to the new group.

Configure Tacacs MAVIS LDAP

Configure Tacacs MAVIS LDAP

MAVIS LDAP Module
Enable LDAP Authentication globally.
LDAP Type
By default Microsoft, but also can be Generic and Tacacs Schema
LDAP Scope
By default sup, but also can be one, base
TLS Support
Enable TLS Support. That function will be described in another section.
LDAP Hosts
Space-separated list of LDAP URLs or IP addresses or hostnames (if you preconfigured DNS servers).
LDAP User
AD user that will be used to get requests to AD.
LDAP Password
Password of AD user that will be used to get requests to AD.
LDAP Base
Base DN of your LDAP server, e.g. dc=domain,dc=name.
LDAP Filter
LDAP search filter, e.g. (&(objectclass=user)(sAMAccountName=%s)).
Use attribute memperOf
Use the memberOf attribute for determining group membership.
Use AD Group Prefix
If checked tacacs prefix will be used.
AD Group Prefix
By default tacacs prefix used.
Cache Connection
Keep connection to LDAP server open.
FallThrough
If searching for the user in LDAP fails, try the next MAVIS module (if any).
MAVIS Module Path
Don’t change it if you not sure, default -> /usr/local/lib/mavis/mavis_tacplus_ldap.pl.

Test LDAP Authentication

Test LDAP Authentication

As you can see test authentication process return success message – RESULT ACK. Also that output show for us that user is member of ldap_main group for tacacs daemon – TACMEMBER “ldap_main”.

It is the good time to check your configuration on real devices.

Configure LDAP with TLS support

Oops!

That function does not support yet.

Created at: 2018-05-04 23:35:15
Updated at: 2018-10-05 18:39:55
Author: Aleksey Mochalin