Identity-management configuration


Userlevel 4
Hello, everyone!

I want to configure Identity Management. Now it works only with Kerberos option configured. The result is only for 10% of ports in the stack I can see hostnames, domain name, IP and very rare - username.

I wanted to configure LDAP servers (I have MSFT infrastracture) but fails with the message (on the picture).

Could you please explain me, what I do wrong?

If I have MSFT forest/domain - which option should I configure - LDAP or Kerberos?

Many thanks in advance,

Ilya

6 replies

Userlevel 7
Never done such config but let's try it....

Is there a LDAP domain configured...
Switch_1.1 # show ldap domain
Total domains configured: 0
Switch_1.2 #

If not create one....

Switch_1.1 # create ldap domain RON default ?
Execute the command
Switch_1.1 # create ldap domain RON default

You don't need to name it RON 🙂
Userlevel 4
As said by Ronald try to check if any domain has been configured already or not. If not then
You can configure different domains and add different LDAP servers for these different domains. When adding an LDAP server to identity manager, you can specify the domain under which the server is to be added.

You can configure a base-dn and a bind user for each domain.

Base-dn is assumed to be the same as the domain name unless explicitly configured otherwise.
(Base-dn is the LDAP directory under which the users are to be searched.)

For users upgrading from older configurations, the base-dn configured on an older EXOS version
now becomes the default domain name. This can be changed later if required.

For users upgrading from older configurations, the LDAP servers configured on older EXOS
versions are now servers under the default domain.

You can now add up to eight LDAP servers to each of the user-configured domains if you want.

For further reference please find below the command line for the same:

To add or remove LDAP server connections for retrieving identity attributes, use the following
commands:

configure {identity-management} ldap {domain } add server [
| ] {} {client-ip } {vr } {encrypted
sasl digest-md5}

To configure LDAP client credentials for accessing an LDAP server, use the following command:

configure {identity-management} ldap {domain [|all]} bind-user
[[u] {encrypted} | anonymous]

To specify a base domain name to be added to user names in LDAP queries, use the following
command:

configure {identity-management} ldap {domain [|all]} base-dn [[b] |
none | default]

To enable or disable LDAP queries for specific network login types, use the following command:

configure {identity-management} ldap { domain [ | all ] }
[enable|disable] netlogin [dot1x | mac | web-based]

Hope this helps you in sorting out this issue......
Userlevel 4
Hello, gentlemen!

One reason of why I love Extreme so much is they way you change EXOS and especially Netsight. Every new release is a quest making you to find where the old commands are hidden now.

There is not LDAP command in IDENTITY-MANAGEMENT under 16.2 EXOS 🙂

Yesterday I tried identity-management in 15.3 EXOS and we are going to upgrade it to the latest version. But LDAP is gone and everything was a bit useless...

Many thanks for your help,

Ilya
Userlevel 4
Thanks for your kind words......
Please let us know if you need any more information or is this fine to close this ongoing discussion moving forward......
Userlevel 4
Tripathy, Priya Ranjan wrote:

Thanks for your kind words......
Please let us know if you need any more information or is this fine to close this ongoing discussion moving forward......

Hello, Trypathy!

The discussion could be closed. If Identity-management works for about 24 hours it starts slowly to show some info on what is on a port now. God knows how fresh this information is.

Many thanks to all participants!
Userlevel 6
Tripathy, Priya Ranjan wrote:

Thanks for your kind words......
Please let us know if you need any more information or is this fine to close this ongoing discussion moving forward......

Thanks for your honest candor Ilya. That's how we can improve on these short-comings.

If you change your mind on working this, let's get you in to GTAC so we can get you some solid answers.

Reply