5-35
Basic Configuration
5.9.8. LDAP Parameters
The AFS-16 supports LDAP (Lightweight Directory Access Protocol,) which allows
authentication via the "Active Directory" network Directory Service. When LDAP is
enabled and properly configured, command access rights can be granted to new users
without the need to define individual new accounts at each AFS-16 unit, and existing
users can also be removed without the need to delete the account from each
AFS-16 unit. This type of authentication also allows administrators to assign users
to LDAP groups, and then specify which circuits the members of each group will be
allowed to control at each AFS-16 unit.
In order to apply the LDAP feature, you must first define User Names and associated
Passwords and group membership via your LDAP server, and then access the AFS-16
command mode to enable and configure the LDAP settings and define port access
rights and command access rights for each group that you have specified at the LDAP
server. Note that in order to access the LDAP Parameters menu, you must login to AFS-
16 command mode using a password that permits Administrator level commands.
Notes:
• CircuitaccessrightsarenotdefinedattheLDAPserver.Theyaredefinedvia
theLDAPGroupconfigurationmenuoneachAFS-16unitandarespecificto
thatAFS-16unitalone.
• WhenLDAPisenabledandproperlyconfigured,LDAPauthenticationwill
supersedeanypasswordsandaccessrightsthathavebeendefinedviathe
AFS-16userdirectory.
• IfnoLDAPgroupsaredefinedonagivenAFS-16unit,thenaccessrightswill
bedeterminedasspecifiedbythe"default"LDAPgroup.
• The"default"LDAPgroupcannotbedeleted.
The LDAP Parameters Menu allows the following parameters to be defined:
• Enable: Enables/disables LDAP authentication. (Default = Off.)
• PrimaryHost: Defines the IP address or domain name (up to 64 characters) for
the primary LDAP server. (Default = undefined.)
• SecondaryHost: Defines the IP address or domain name (up to 64 characters) for
the secondary (fallback) LDAP server. (Default = undefined.)
• LDAPPort: Defines the port that will be used to communicate with the LDAP
server. (Default = 389.)
• TLS/SSL: Enables/Disables TLS/SSL encryption. Note that when TLS/SSL
encryption is enabled, the LDAP Port should be set to 636. (Default = Off.)
• BindType: Sets the LDAP bind request password type. Note that in the Text
Interface, when the Bind Type is set to "Kerberos" LDAP, the menu will include an
additional prompt (item 14) that is used to select Kerberos parameters as described
in Section 5.9.8.5. In the Web Interface, the button which is used to access the
Kerberos Parameters menu is located at the bottom of the LDAP Parameters Menu.
(Default = Simple.)
• SearchBindDN: Selects the user name who is allowed to search the LDAP
directory. (Default = undefined.)