Hi, thank you very much, I really appreciate the update.  So just to clarify and make sure that I understand.

1. The version 4.2(7b) does NOT support LDAP.  We MUST be at level 5.x.

2. I reviewed the LDAP documentation and it appears that to configure LDAP we MUST use the CLI interface.  Is there are GUI option available to perform the LDAP configuration or we must use the CLI interface to perform the LDAP configuration.

Thank you, your response is very much appreciated.

Correct

Honestly, I always used the CLI to configure box level features...graphical tool are ideal when you want a fabric view or need to configure a fabric wide service (like zoning)

Fausto

Hi Fausto, thank you very much Sir for the quick fresponse, it's very much appreciated.  We'll do as you recommend for the LDAP feature and configuration.  Do you have any tips and useful documentation other than what Cisco provides (i.e. Cisco MDS 9000 Family NX-OS Security configurationg guide release 5.2).  that might assist me when setting up/configuring LDAP, sometimes there are tips/tricks that are not documented in the manual.

So, here's what we plan to do:

 We have an external LDAP Server with SSL Encryption for userid and password authentication on port 1500 with of course IP address and DNS.  Any useful tips Fausto would be greatly appreciated.  Thanks again Sir.

Hi

I would follow Cisco configuration guide. Default port for LDAP is 389 but that can be changed.

The one thing I wanna let you know though is that generally customers do not use SSL encryption since NX OS devices only need to search a directory server, and do not make any changes to it. For this reason, security concerns are automatically relaxed and any form of security is considered a not so needed complication.

Fausto

Hi Fausto, Thanks for all the updates.  Hope you has a nice and loing weekend.

Ok, so from my end, we'll use the external LDAP server which has SSL on a specific port for the bind.

I reviewed the Cisco configuration guide for LDAP and there is something that I don't understand, maybe its just me, but pehaps you can comment or let me know.  Once we enable LDAP and update the default for the call to our external LDAP server, how do we setup the userid to use LDAP instead the internal security.  This is the one thing that I'm not sure how to do.  Do you have any suggestions and/or examples how to setup a userid once LDAP is enable to switch from internal security to LDAP for the userid.  Thanks again.

feature ldap

ldap-server host 172.16.0.15 rootDN "cn=Administrator,cn=users,dc=mylab,dc=net" password 7 F15hg123 port 389

ldap search-map memberOfSAN

  userprofile attribute-name "department" search-filter "(&(memberOf=cn=SAN,ou=LAB-USERS,dc=mylab,dc=net)(sAMAccountName=$userid))" base-DN "DC=mylab,DC=net"

aaa group server ldap core1

  server 172.16.0.15

  ldap-search-map memberOfSAN

aaa authentication login default group core1

Hi Fausto, Thanks for all the updates, its very much appreciated.  If I ask silly question, please forgive me.  Its just that all our switches are in Production so when security is turned on I've to be 100% sure that I do NOT miss anything, this is the reason for all the questions, I hope you dont mind.

So we did the following LDAP configuration/line commands:

Dddddddd (config)# ldap-server host 49.26.26.1 rootDN "cn=davej,cn=users,host=b100,o=tdbank,c=ca"

Dddddddd (config)# ldap-server port 1419

Warning: Ldap global port configuration cli will be deprecated.

Dddddddd (config)# aaa group server ldap core1

Dddddddd (config-ldap)# server 49.26.26.1

Dddddddd (config-ldap)# aaa authentication login default group core1

Dddddddd (config)# ldap-server host 49.26.26.1 enable-ssl

Dddddddd (config)# show ldap-server

     timeout : 5

        port : 1419

    deadtime : 0

total number of servers : 1

following LDAP servers are configured:

    49.26.26.1:

                idle time:0

                test user:test

                test password:********

                test DN:dc=test,dc=com

        timeout: 5    port: 1419    rootDN: cn=davej,host=b100,o=tdbank,c=ca

        enable-ssl: true

When I tried to logon to this switch via Device Manager for userid davej for an LDAP call to external server of 49.26.26.1, we do NOT see any messages in the LDAP server log.  Can you please see from the above config command and setup of LDAP, did we miss a step or forgot to enable any additional options.

Thank you Sir. 

Hi,

I'm not sure I can really help you further on this and maybe a Cisco TAC engineer would serve you best.

My advice is this:

disable SSL to start with

Use telnet/SSH and not device manager to make your tests. I remember a while back Device Manager was a bit peculiar and some proxy capability was enabled with it

Hope you can get to happy ending

Hi, thank you Fausto for all you assistance and suggestion.  I'll engage our support team and request a Cisco TAC engineer.  Have an excellent day.