LDAP user configuration

When configured to use LDAP support, the LR54 device uses a remote LDAP server for user authentication (password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication.

This section outlines how to configure a LDAP server to be used for user authentication on your LR54 device.

There are several different implementations of LDAP, including Microsoft Active Directory. This section uses OpenLDAP as an example configuration. Other implementations of LDAP will have different configuration methods.

Example OpenLDAP configuration

With OpenLDAP, users can be configured in a text file using the LDAP Data Interchange Format (LDIF). In this case, we will be using a file called add_user.ldif.

  1. Create the add_user.ldif file in a text editor. For example:
    $ gedit ./add_user.ldif
  2. Add users to the file using the following format:
    dn: uid=john,dc=example,dc=com
    objectClass: inetOrgPerson
    cn: John Smith
    sn: Smith
    uid: john
    userPassword: password
    ou: admin serial
    • The value of uid and userPassword must correspond to the username and password used to log into the LR54 device.
    • The ou attribute is optional. If used, the value must correspond to authentication groups configured on your LR54. Alternatively, if the user is also configured as a local user on the LR54 device and the LDAP server authenticates the user but does not return any groups, the local configuration determines the list of groups. See Authentication groups for more information about authentication groups.

    Other attributes may be required by the user’s objectClass. Any objectClass may be used as long it allows the uid, userPassword, and ou attributes.

  3. Save and close the file.
  4. Add the user to the OpenLDAP server:
    $ ldapadd -x -H 'ldap:///' -D 'cn=admin,dc=example,dc=com' -W -f add_user.ldif
    adding new entry "uid=john,dc=example,dc=com"
  5. Verify that the user has been added by performing an LDAP search:
    $ ldapsearch -x -LLL -H 'ldap:///' -b 'dc=example,dc=com'
    dn: uid=john,dc=example,dc=com
    objectClass: inetOrgPerson
    cn: John Smith
    sn: Smith
    uid: john
    ou: admin serial