Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The protocol was developed as a way to use directory services over TCP/IP and to simplify the Directory Access Protocol (DAP) defined as part of the Open Systems Interconnection (OSI) effort. Originally, LDAP was a front-end for X.500 DAP.
The LDAP protocol synchronizes and governs the communications between the LDAP Client and the LDAP Server. The protocol also dictates how database information, which is normally stored in hierarchical form, is searched from the root directory down to distinct entries. In addition, LDAP has its own format that permits LDAP-enabled Web browsers to perform directory searches over TCP/IP.
The OmniVista Cirrus LDAP Server is automatically installed in OmniVista Cirrus. You cannot modify or delete it. However, if you want to use a different LDAP V3 server, you must add it to OmniVista Cirrus. OmniVista Cirrus only manages the built-in LDAP Server, other authentication servers must be managed outside of OmniVista. You can assign devices to such servers, but the Authentication Servers application does not allow you to add, modify, or delete users and user privileges in the LDAP database of such servers. This is because an LDAP Server's database must be configured for the specific schema used to manage users and there is no public API for configuring LDAP schemas.
LDAP Server Management supports wireless devices; however, certain attributes may not be supported. See the configuration fields below for more information.
To access the LDAP Servers Management screen, click on Network Access > Unified Access > Auth Servers > LDAP Servers under the “Configure” section of the OmniVista Cirrus Menu. The LDAP Servers Management screen displays.
Adding an LDAP Server
The OmniVista Cirrus LDAP Server is automatically installed in OmniVista Cirrus and known to OmniVista Cirrus. However, if you have configured a new LDAP Server, you must add it to the list of LDAP Servers known to OmniVista Cirrus.
To add a new LDAP Server, click on Create LDAP Server and complete the fields as described below. When you are finished, click the Create LDAP Server button to add the new LDAP Server.
Server Name - A unique name for the LDAP Authentication Server. This name will be used by OmniVista and the device to identify the server.
Host Name/IP Address - The name of the computer where the server is located OR the IP address of the computer where the server is located.
Backup Host Name/IP Address - Each LDAP Server may optionally have a backup server. If you wish to define a backup server that will be used if this server is unavailable, enter the name of the computer where the backup server is located OR enter the IP address of the computer where the backup server is located.
Retries - The number of retries that you want the device to attempt when trying to contact the LDAP Server (Range = 1 - 3, Default = 3). (Not supported on wireless devices and ignored when applied to those devices.)
Timeout - The number of seconds that you want the device to wait before a request to the LDAP authentication server is timed out (Range = 1 - 30, Default = 2).
Port - The port number used as the LDAP port address. This is the port at which the LDAP Server "listens". By default, the port number is 389. However, note that the switch automatically sets the port number to 636 when SSL is enabled. (Port number 636 is typically used on LDAP Servers for SSL.) The port number on the switch must match the port number configured on the server.
SSL - Set this field to True or False to inform the device whether SSL (Secure Socket Layer) is enabled or disabled on the LDAP authentication server. SSL can be set up on the server for additional security. (This usually involves adding digital certificates to the server.) When SSL is enabled, the server's identity will be authenticated. Refer to "Managing Authentication Servers" in your Network Configuration Guide and to the instructions provided by the LDAP Server's vendor for further information on setting up SSL on the LDAP Server. (Not supported on wireless devices and ignored when applied to those devices.)
Admin Name - The Administrator’s name used to login to the LDAP Server.
Search Base - The search base in the LDAP Server where authentication information can be found (e.g., o=alcatel.com).
Use As an On-Premise Server - Select this option if you want to use a private LDAP Server instead of one in the cloud for AP authentication. In this scenario, user authentication requests are communicated directly between an AP and the LDAP server, and are not exposed in the public network. This option is only supported for BYOD access.
Pre-emption - Enable or Disable Pre-emption to configure whether the AP should move back to the primary LDAP Server, after it has switched to a secondary LDAP Server. By default Pre-emption is Enabled.
Count-down Timer - Enter the number of seconds for the AP to adhere with the secondary server before moving back to primary server (Range=600 seconds, (5 minutes) to 3600 seconds (60 minutes), Default = 600 seconds).
Password - Password used to login to the LDAP Server (up to 128 characters).
Confirm Password - Re-enter the LDAP Server password.
View Additional LDAP Server Information
Select the LDAP Server in the list and click on the Additional Information icon to view additional information about the LDAP Server.
Editing an LDAP Server
Select an LDAP Server in the list and click on the Edit icon. Edit any necessary fields as described above, then click on the Save button. It is important to note that you cannot modify values indiscriminately. The values must match those of the actual LDAP Server. For example, if you want to change the LDAP port address, you must first use the tools provided by your LDAP Server's vendor to change the port on the LDAP Server itself. You can then inform OmniVista Cirrus that the port number has changed by modifying the Port field. Also note that you cannot edit an LDAP Server's name. You must delete it and create a new one.
You cannot delete an LDAP Server that is currently being used by OmniVista.
Deleting an LDAP Server
Select an LDAP Server in the list and click on the Delete icon. Note that deleting an LDAP server will not cause devices that currently use that server to cease using it. Devices using the deleted LDAP Server will continue to use it until the switches are reassigned.