Identity-management configuration

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hello, everyone!

I want to configure Identity Management. Now it works only with Kerberos option configured. The result is only for 10% of ports in the stack I can see hostnames, domain name, IP and very rare - username.

I wanted to configure LDAP servers (I have MSFT infrastracture) but fails with the message (on the picture).

Could you please explain me, what I do wrong? 

If I have MSFT forest/domain - which option should I configure - LDAP or Kerberos?

Many thanks in advance,

Ilya

Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,154 Points 50k badge 2x thumb
Never done such config but let's try it....

Is there a LDAP domain configured...
Switch_1.1 # show ldap domain
Total domains configured: 0
Switch_1.2 #



If not create one....

Switch_1.1 # create ldap domain RON default ? 
<cr>            Execute the command
Switch_1.1 # create ldap domain RON default

You don't need to name it RON :-)
Photo of Tripathy, Priya Ranjan

Tripathy, Priya Ranjan, ESE

  • 2,306 Points 2k badge 2x thumb
As said by Ronald try to check if any domain has been configured already or not. If not then 
You can configure different domains and add different LDAP servers for these different domains. When adding an LDAP server to identity manager, you can specify the domain under which the server is to be added.

 You can configure a base-dn and a bind user for each domain.

 Base-dn is assumed to be the same as the domain name unless explicitly configured otherwise.
(Base-dn is the LDAP directory under which the users are to be searched.)

 For users upgrading from older configurations, the base-dn configured on an older EXOS version
now becomes the default domain name. This can be changed later if required.

For users upgrading from older configurations, the LDAP servers configured on older EXOS
versions are now servers under the default domain.

You can now add up to eight LDAP servers to each of the user-configured domains if you want.


For further reference please find below the command line for the same:

To add or remove LDAP server connections for retrieving identity attributes, use the following
commands:

configure {identity-management} ldap {domain <domain_name>} add server [<host_ipaddr>
| <host_name>] {<server_port>} {client-ip <client_ipaddr>} {vr <vr_name>} {encrypted
sasl digest-md5}

To configure LDAP client credentials for accessing an LDAP server, use the following command:

configure {identity-management} ldap {domain [<domain_name>|all]} bind-user
[<user_name> {encrypted} <password> | anonymous]

To specify a base domain name to be added to user names in LDAP queries, use the following
command:

configure {identity-management} ldap {domain [<domain_name>|all]} base-dn [<base_dn> |
none | default]

To enable or disable LDAP queries for specific network login types, use the following command:

configure {identity-management} ldap { domain [ <domain_name> | all ] }
[enable|disable] netlogin [dot1x | mac | web-based]

Hope this helps you in sorting out this issue......
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, gentlemen!

One reason of why I love Extreme so much is they way you change EXOS and especially Netsight. Every new release is a quest making you to find where the old commands are hidden now.

There is not LDAP command in IDENTITY-MANAGEMENT under 16.2 EXOS =)

Yesterday I tried identity-management in 15.3 EXOS and we are going to upgrade it to the latest version. But LDAP is gone and everything was a bit useless...

Many thanks for your help,

Ilya
Photo of Tripathy, Priya Ranjan

Tripathy, Priya Ranjan, ESE

  • 2,306 Points 2k badge 2x thumb
Thanks for your kind words......
Please let us know if  you need any more information or is  this fine to close this ongoing discussion moving forward......
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Trypathy!

The discussion could be closed. If Identity-management works for about 24 hours it starts slowly to show some info on what is on a port now. God knows how fresh this information is.

Many thanks to all participants!
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Thanks for your honest candor Ilya.  That's how we can improve on these short-comings.

If you change your mind on working this, let's get you in to GTAC so we can get you some solid answers.