Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1652
Views
0
Helpful
2
Replies

Setting up ldap with ssl enabled on Cisco MDS switches

nacer_bell
Level 1
Level 1

‎05-02-2023 10:23 AM

Hi,

I was successfully configured ldap without ssl and was able to authenticate with my AD account without issues. But once ssl enabled nothing works. I may need to upload the ldap certificate to be able to authenticate? Need your help. 

 

Regards,   

Labels:
0 Helpful
2 Replies 2

nacer_bell
Level 1
Level 1

‎05-03-2023 06:25 AM - edited ‎05-04-2023 06:50 AM

Hi,

Thanks for you quick reply. yes we are running version 8.4(2a). I went through the steps in the link you provided already except the Configuring AAA Authorization on LDAP Servers config which I did not do as of now. I thought that all I need is to upload the LDAP root CA certificate which I did not do as well because I'm not familiar with the commands and how to get it uploaded to the switch. 

Just a reminder. As I mentioned in my initial post I was able to authenticate successfully an AD user account with ldap without ssl enabled. 

 

See below the complete configo:

With SSL:

Myswitch(config)# ldap-server host xx.xx.xx.x1 enable-ssl
Myswitch(config)# ldap-server host xx.xx.xx.x2 enable-ssl

Myswitch(config)# ldap search-map s1
Myswitch(config-ldap-search-map)# userprofile attribute-name "memberOf" search-filter "cn=$userid" base-DN "OU=SERV,DC=lab,DC=Myorg,DC=dev"


Myswitch(config)# aaa group server ldap Mygroup
Myswitch(config-ldap)# server xx.xx.xx.x1
Myswitch(config-ldap)# server xx.xx.xx.x2
Myswitch(config-ldap)# ldap search-map s1


Myswitch(config)# ldap-server host xx.xx.xx.x1 rootDN "CN=serviceaccount,OU=Comptes de service,OU=SERV,DC=lab,DC=Myorg,DC=dev" password 7 ********* port 636
Myswitch(config)# ldap-server host xx.xx.xx.x2 rootDN "CN=serviceaccount,OU=Comptes de service,OU=SERV,DC=lab,DC=Myorg,DC=dev" password 7 ********* port 636

Myswitch(config)# ldap-server port 636

Myswitch(config)# sh ldap-server
timeout : 5
port : 636
deadtime : 0
total number of servers : 2

following LDAP servers are configured:
xx.xx.xx.x1:
idle time:0
test user:test
test password:********
test DN:dc=test,dc=com
timeout: 5 port: 636 rootDN: CN=serviceaccount,OU=Comptes de service,OU=SERV,DC=lab,DC=Myorg,DC=dev
enable-ssl: true
referral-disable: false
xx.xx.xx.x2:
idle time:0
test user:test
test password:********
test DN:dc=test,dc=com
timeout: 5 port: 636 rootDN: CN=serviceaccount,OU=Comptes de service,OU=SERV,DC=lab,DC=Myorg,DC=dev
enable-ssl: true
referral-disable: false

Myswitch(config)# test aaa group Mygroup myaccount ***********
error authenticating with servers in group

M'I missing something ?

thanks!  

0 Helpful

Review Cisco Networking for a $25 gift card

Top