Help on Access > Authentication Providers > LDAP

The following information and controls appear on Access > Authentication Providers > LDAP.

Add an LDAP provider
Opens a dialog box that enables you to add an LDAP authentication provider.
LDAP provider name
Specifies the name of the LDAP provider that you want to add.
Servers URIs
Specifies one or more valid LDAP server URIs, one per line, in the format ldaps://<server>:<port> (secure LDAP) or ldap://<server>:<port> (non-secure LDAP). If you do not specify a port, the default port is used, which is 636 for secure LDAP and 389 for non-secure LDAP.
Connect to a random server on each request
Select this checkbox to enable the LDAP provider to make random connections to the LDAP servers. Otherwise, the LDAP provider will connect to LDAP servers in the order in which they are listed.
Base distinguished name (DN)
Specifies the distinguished name (DN) of the entry at which to start LDAP searches. Base DNs can include cn (Common Name), l (Locality), dc (Domain Component), ou (Organizational Unit), or other components. For example, dc=emc,dc=com is a base DN for emc.com.
Groupnet
Specifies which groupnet you want to associate with the LDAP provider. The groupnet specifies which networking properties the LDAP provider will use when communicating with external servers. The groupnet that is associated with the LDAP provider cannot be changed. Instead you must delete the LDAP provider and create it again with the new groupnet association. You can add the LDAP provider only to an access zone that references the same groupnet.
Bind DN
Specifies the distinguished name of the entry at which to bind to the LDAP server.
Bind DN password
Specify the password to use when binding to the LDAP server. Use of this password does not require a secure connection; if the connection is not using Transport Layer Security (TLS), the password is sent in clear text.
Default Query Settings
Expanded list that enables you to set options pertaining to general queries to the LDAP provider.
Search scope
Specifies the depth from the base DN at which to perform default LDAP searches. The following values are valid:
Base
Searches only the entry at the base DN.
One-level
Searches all entries exactly one level below the base DN.
Subtree
Searches the base DN and all entries below it.
Children
Searches all entries below the base DN, excluding the base DN itself.
Search timeout
Specifies the number of seconds after which to stop retrying and fail a search. The default value is 100 seconds. This setting is available only in the default query settings.
User Query Settings
Expanded list that enables you to set options pertaining to user queries to the LDAP provider.
Base distinguished name
Specifies the distinguished name of the entry at which to start LDAP searches for users.
Search scope
Specifies the depth from the base DN at which to perform LDAP searches for users. The following values are valid:
Default
Applies the search scope that is defined in the default query settings.
Base
Searches only the entry at the base DN.
One-level
Searches all entries exactly one level below the base DN.
Subtree
Searches the base DN and all entries below it.
Children
Searches all entries below the base DN, excluding the base DN itself.
Query filter
Sets the LDAP filter for user objects.
Authenticate users from this LDAP provider
Select to enable the LDAP provider to respond to authentication requests in addition to identity lookups. Otherwise, the LDAP provider responds only to identity lookups.
Home directory naming template
Specifies a path to use as a template for naming home directories. The path must begin with /ifs and can contain expansion variables such as %U.
Automatically create user home directory on first login
Select to create a home directory the first time a user logs in, if a home directory does not exist for the user.
UNIX shell
Specifies a path to the login shell for users who access the OneFS file system through SSH.
Group Query Settings
Expanded list that enables you to set options pertaining to group queries to the NIS provider.
Base distinguished name
Specifies the distinguished name of the entry at which to start LDAP searches for groups.
Search scope
Specifies the depth from the base DN at which to perform LDAP group searches. The following values are valid:
Default
Applies the search scope that is defined in the default query settings.
Base
Searches only the entry at the base DN.
One-level
Searches all entries exactly one level below the base DN.
Subtree
Searches the base DN and all entries below it.
Children
Searches all entries below the base DN, excluding the base DN itself.
Query filter
Sets the LDAP filter for group objects.
Netgroup Query Settings
Expanded list that enables you to set options pertaining
Base distinguished name
Specifies the distinguished name of the entry at which to start LDAP searches for netgroups.
Search scope
Specifies the depth from the base DN at which to perform LDAP netgroup searches. The following values are valid:
Default
Applies the search scope that is defined in the default query settings.
Base
Searches only the entry at the base DN.
One-level
Searches all entries exactly one level below the base DN.
Subtree
Searches the base DN and all entries below it.
Children
Searches all entries below the base DN, excluding the base DN itself.
Query filter
Sets the LDAP filter for netgroup objects.
Advanced LDAP Settings
Expanded list that enables you to set options pertaining
Name attribute
Specifies the LDAP attribute that contains UIDs, which are used as login names. The default value is uid.
Common name attribute
Specifies the LDAP attribute that contains common names (CNs). The default value is cn.
Email attribute
Specifies the LDAP attribute that contains email addresses. The default value is mail.
GECOS field attribute
Specifies the LDAP attribute that contains GECOS fields. The default value is gecos.
UID attribute
Specifies the LDAP attribute that contains UID numbers. The default value is uidNumber.
GID Attribute
Specifies the LDAP attribute that contains GIDs. The default value is gidNumber.
Home directory attribute
Specifies the LDAP attribute that contains home directories. The default value is homeDirectory.
UNIX shell attribute
Specifies the LDAP attribute that contains UNIX login shells. The default value is loginShell.
Member of attribute
Sets the attribute to be used when searching LDAP for reverse memberships. This LDAP value should be an attribute of the user type posixAccount that describes the groups in which the POSIX user is a member. This setting has no default value.
Netgroup members attribute
Specifies the LDAP attribute that contains netgroup members. The default value is memberNisNetgroup.
Netgroup triple attribute
Specifies the LDAP attribute that contains netgroup triples. The default value is nisNetgroupTriple.
Group members attribute
Specifies the LDAP attribute that contains group members. The default value is memberUid.
Unique group members attribute
Specifies the LDAP attribute that contains unique group members. This attribute is used to determine which groups a user belongs to if the LDAP server is queried by the user’s DN instead of the user’s name. This setting has no default value.
Alternate security identities attribute
Specifies the name to be used when searching for alternate security identities. This name is used when OneFS tries to resolve a Kerberos principal to a user. This setting has no default value.
UNIX password attribute
Specifies the LDAP attribute that contains UNIX passwords. This setting has no default value.
Windows password attribute
Specifies the LDAP attribute that contains Windows passwords. A commonly used value is ntpasswdhash.
Certificate authority file
Specifies the full path to the root certificates file.
Require secure connection for passwords
Select to require a Transport Layer Security (TLS) connection.
Ignore TLS errors
Continues over a secure connection even if identity checks fail.
Enable
Select to enable the LDAP provider.
Cancel
Cancels creation of the LDAP provider and closes the dialog box.
Add an LDAP Provider
Adds the new LDAP provider to the system.
LDAP Providers
Table that displays a list of LDAP providers currently in the system.
Select an action
Lists actions that can be applied to multiple LDAP providers simultaneously.
Delete selection
Bulk action that deletes from the system each LDAP provider whose checkbox has been selected.
Provider Name
Displays the name of the LDAP provider.
Base distinguished name
The distinguished name (DN) of the entry at which to start LDAP searches.
Server URIs
Displays the name of the LDAP provider.
Status
Displays whether the LDAP provider is enabled or disabled in the system.
View details
Expands the table to display the current attributes of the LDAP provider.
Edit
Enables you to make changes to the LDAP provider settings.
Hide details
Contracts the table to hide information about the LDAP provider.
Delete
Deletes the LDAP provider from the system.
Close
Contracts the table to hide information about the LDAP provider.