How to configure LDAP authentication on Crossbeam X-SeriesN/A
This solution applies for any customer who wants to use LDAP authentication using the Crossbeam X-Series.
It describes all the required steps.
Crossbeam X series CPM ---- network --- LDAP Server
In our test network, the CPM and LDAP server are attached to the same IP subnet, so no particular route entry is needed. A customer with a different network configuration may need to set up CPM routing differently.
The LDAP protocol is a directory service which can be composed of different elements such as user elements, as well as accounts, groups and profile information and even X509 Certificate data. The LDAP architecture is based on a directory server listening on port 389, and a secured LDAP protocol exists on port 689. However, the Crossbeam X-Series Platform does not support it at this time.
The LDAP protocols run using a Distinguished name which is used as a uniqe reference to a given user account. The distinguished name is of the form :
The Microsoft Active Directory is a LDAP implementation of Microsoft. However, due to the current Schemas of Microsoft AD, it is not recommended to use LDAP authentication against such LDAP implementation. RADIUS authentication should be used instead.
An LDAP server may serve many Organisational units or different departments within the same company. If someone wants to restrain the access of the Crossbeam machine using LDAP accounts only within a specific OU it can do so.
If the configuration of the DN is set to :
DN:"ou=lab,dc=crossbeamsystems,dc=com" only users within the "lab" OU will be matched. Any other users even though present in both the LDAP directory in a different OU and which has been configured on the Crossbeam will be refused.
To ensure a proper authentication irrespective of the OU, the network administrator may choose to select to bind the Crossbeam's ROOT DN to the following:
Should the network administrator makes such choice, then the security is enforced at the Crossbeam level based on whether users have the right to access the Crossbeam system (just configure the user or do not).
1) On the LDAP server, identify what is the DN for the user to be authenticated on the Crossbeam chassis.
For example :
2) Configure on the LDAP server a user and keep the username.
3) Configure on the X-Series chassis a user which will be authenticated by the LDAP server.