Managing Authentication Servers LDAP Servers
OmniSwitch 6600 Family Network Configuration Guide April 2006 page 20-21
Directory Server Schema for LDAP Authentication
Object classes and attributes will need to be modified accordingly to include LDAP authentication in the
network (object classes and attributes are used specifically here to map user account information contained
in the directory servers).
• All LDAP-enabled directory servers require entry of an auxiliary objectClass:passwordObject for user
password policy information.
• Another auxiliary objectClass: password policy is used by the directory server to apply the password
policy for the entire server. There is only one entry of this object for the database server.
Note. Server schema extensions should be configured before the aaa ldap-server command is configured.
Vendor-Specific Attributes for LDAP Servers
The following are Vendor Specific Attributes (VSAs) for Authenticated Switch Access and/or Layer 2
Authentication:
Configuring Functional Privileges on the Server
Configuring the functional privileges attributes (bop-asa-func-priv-read-1, bop-asa-func-priv-read-2,
bop-asa-func-priv-write-1, bop-asa-func-priv-write-2) requires using read and write bitmasks for
command families on the switch.
1 To display the functional bitmasks of the desired command families, use the show aaa priv hexa
command.
2 On the LDAP server, configure the functional privilege attributes with the bitmask values.
attribute description
bop-asa-func-priv-read-1 Read privileges for the user.
bop-asa-func-priv-read-2 Read privileges for the user.
bop-asa-func-priv-write-1 Write privileges for the user.
bop-asa-func-priv-write-2 Write privileges for the user.
bop-asa-allowed-access Whether the user has access to configure the
switch.
bop-asa-snmp-level-security Whether the user may have SNMP access, and the
type of SNMP protocol used.
bop-shakey A key computed from the user password with the
alp2key tool.
bop-md5key A key computed from the user password with the
alp2key tool.
allowedtime The periods of time the user is allowed to log into
the switch.
switchgroups The VLAN ID and protocol (IP_E2, IP_SNAP,
IPX_E2, IPX_NOV, IPX_LLC, IPX_SNAP).