Configure LDAP Authentication

  1. Under CONFIGURE > User Management > Remote Authentication, select LDAP from the Mode drop-down menu.

  2. Select the preferred LDAP Remote Authentication policy to be applied:

    • LDAP DownLocal: Users are authenticated through their local account only if the remote AAA server is unreachable or down. If the credentials provided at log in are incorrect or if the account does not exist on the remote server, the user is denied access.

    • LDAP Local: If remote authentication fails because the user account does not exist on the remote AAA server, the OM will attempt to authenticate the user using a local account as per a regular local log in.

  1. Enter the authentication Timeout value to apply.

    The timeout value specifies the number of seconds to wait for a response from the server before trying the next server.

    Note: The timeout value is global and applied to all authentication methods when you set the value on one authentication method.

  2. Add the Address and optionally the Port of the LDAP server to query. See the LDAP and LDAPS Port Settings topic.

  3. Add the LDAP Base DN that corresponds to the LDAP system being queried. For example:

CN=example-user,CN=Users,DC=example-domain,DC=com

  1. Add the LDAP Bind DN. This is the distinguished name of a user with privileges on the LDAP system to perform the lookups required for retrieving the username of the users, and a list of the groups they are members of.

  2. Input the password for the LDAP Bind DN user and confirm the password.

  3. Add the LDAP Username Attribute. This depends on the underlying LDAP system. Use sAMAccountName for Active Directory systems, and uid for OpenLDAP based systems.

  4. Add the LDAP Group Membership Attribute. This is only required for Active Directory and is generally memberOf.

  5. If required, check Ignore referrals option. When checked, LDAP will not follow referrals to other remote authentication servers when logging users in. If multiple remote authentication servers exist on the network, checking this option may improve log in times.

    Note: Multiple servers can be added. The LDAP subsystem queries them in a round-robin fashion.