Configuring an LDAP Domain

This section describes how to configure an LDAP domain so that LDAP users can access shared account resources.

Context

LDAP data is organized in a tree structure, which clearly shows the organizational information. A node on the tree is called an Entry. Each Entry has a distinguished name (DN). The DN of an Entry is composed of the base distinguished name (Base DN) and relative distinguished name (RDN). The Base DN refers to the position of the parent node where the Entry resides on the tree, and the RDN refers to an attribute that distinguishes the Entry from others.

A DN consists of the following parts:

Domain component (DC)
Identifies the domain name of a company or organization.
Organizational unit (OU)
Identifies the internal information classification of a company or organization.
Common name (CN)
Identifies the name of a directory Entry.

Procedure

Choose Resources > Access > Account.
Click the name of the desired account. On the page that is displayed, click the Domain Configuration tab.
Select LDAP and click Configure.
The Configure LDAP Domain page is displayed on the right.

Click Restore to Initial to restore the configured basic and advanced parameters to their initial values.

Configure basic LDAP domain parameters. Table 1 describes related parameters.

**Table 1** Basic LDAP domain parameters
Parameter	Description
Active Server Address	Indicates the IP address or domain name of the active LDAP domain server. NOTE: Ensure that the IP address is reachable. Otherwise, executing user authentication commands or network commands will time out. You can click Test to check whether the entered IP address can be pinged.
Standby Server Address 1	Indicates the IP address or domain name of standby LDAP server 1. NOTE: Ensure that the IP address is reachable. Otherwise, executing user authentication commands or network commands will time out. You can click Test to check whether the entered IP address can be pinged.
Standby Server Address 2	Indicates the IP address or domain name of standby LDAP server 2. NOTE: Ensure that the IP address is reachable. Otherwise, executing user authentication commands or network commands will time out. You can click Test to check whether the entered IP address can be pinged.
Protocol	Indicates the protocol used by the storage system to communicate with the LDAP domain server. LDAP: The system uses the standard LDAP protocol to communicate with the LDAP domain server. When the LDAP protocol is used, the network communication between the system and the domain server is not encrypted, which may cause security risks. You are advised to use the LDAPS protocol. LDAPS: The system uses the LDAPS protocol to communicate with the LDAP domain server The LDAPS protocol improves network communication security. If the domain server supports the LDAPS protocol, you are advised to select LDAPS.
Port	Indicates the port used by the storage system to communicate with the LDAP domain server. When Protocol is set to LDAP, the default port number is 389. When Protocol is set to LDAPS, the default port number is 636.
Base DN	Indicates the root directory of the domain server. That is, the start DN of the domain server specified for searching. After the Base DN is configured, all users in the Base DN can be added to the account. Each entry stored in the LDAP domain directory database has a unique identification, which can uniquely identify an object and its location in the directory tree. The identification of each entry in the database is called distinguished name (DN). The top of the directory tree is the root directory, that is, the Base DN. A DN consists of three attributes: cn, ou, and dc. For example, cn=Common name,ou=Organization unit,dc=example,dc=com is used to identify a user in an LDAP domain and ,dc=example,dc=com is the Base DN. [Example] dc=example,dc=com
Bind Level	Specifies the authentication type of the bind DN. Simple: simple authentication. SASL: simple authentication and security layer.
Bind DN	Binding is a process that a client initiates a connection request to establish a session to the LDAP server. If the LDAP server does not allow anonymous access, you need to specify the bind DN. A bind DN is used to query the directory server and must have the administrator permissions. [Example] cn=Manager,ou=people,dc=example,dc=com
Bind Password	Indicates the password of the bind DN. NOTE: A simple password may result in security issues. A complex password that contains uppercase letters, lowercase letters, digits, and special characters is recommended.
Confirm Bind Password	Enter the same bind DN password again.

Click Advanced and set the advanced parameters. Table 2 describes related parameters.

**Table 2** Advanced LDAP service parameters
Parameter	Description
Bind Using AD Credential	Determine whether to enable Bind Using the AD Credential. If this parameter is enabled when the system has been added to the AD domain, the AD domain account can be used as the LDAP bind DN.
User Directory	Indicates the user DN configured on the LDAP domain server.
User Search Scope	Indicates the search scope for user queries. BASE: only searches the named DN. ONELEVEL: searches the subnodes under the DN. SUBTREE: searches the named DN and subnodes under the DN.
User Group Directory	Indicates the user group DN configured on the LDAP domain server.
User Group Search Scope	Indicates the search scope for user group queries. BASE: only searches the named DN. ONELEVEL: searches the subnodes under the DN. SUBTREE: searches the named DN and subnodes under the DN.
Network Group DN	Indicates the network group DN.
Network Group Search Scope	Indicates the search scope for network group queries. BASE: only searches the named DN. ONELEVEL: searches the subnodes under the DN. SUBTREE: searches the named DN and subnodes under the DN.
Search Timeout Duration (Seconds)	Indicates the timeout duration that the client waits for the LDAP domain server to return the query result. The default value is 3.
Connection Timeout Duration (Seconds)	Indicates the timeout duration that the client establishes a connection with the LDAP domain server. The default value is 3.
Idle Timeout Duration (Seconds)	Indicates the timeout duration that the client has no communication with the LDAP domain server. The default value is 30.
LDAP Schema Template	Select an LDAP schema template. RFC2307: schema based on RFC2307 AD_IDMU: schema based on active directory identity management in UNIX NOTE: You can select a schema template for which relevant parameters are entered automatically. You can also customize relevant parameters instead of selecting a schema template. A schema defines the structure and rules for LDAP directories and how LDAP servers identify category, attribute, and other information of LDAP directories.
RFC2307 User Object	Indicates the name of the RFC2307 posixAccount object class defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] posixAccount (displayed by default when RFC2307 is selected in LDAP Schema Template) User (displayed by default when AD_IDMU is selected in LDAP Schema Template)
RFC2307 User Group Object	Indicates the name of the RFC2307 posixGroup object class defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] posixGroup (displayed by default when RFC2307 is selected in LDAP Schema Template) Group (displayed by default when AD_IDMU is selected in LDAP Schema Template)
RFC2307 Network Group Object	Indicates the name of the RFC2307 nisNetgroup object class defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] nisNetgroup
RFC2307 uid Attribute	Indicates the name of the RFC2307 uid attribute defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] uid
RFC2307 uidNumber Attribute	Indicates the name of the RFC2307 uidNumber attribute defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] uidNumber
RFC2307 gidNumber Attribute	Indicates the name of the RFC2307 gidNumber attribute defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] gidNumber
RFC2307cn (for Groups) Attribute	Indicates the name of the RFC2307cn attribute for groups defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] cn
RFC2307cn (for Network Groups) Attribute	Indicates the name of the RFC2307cn attribute for network groups defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] cn (displayed by default when RFC2307 is selected in LDAP Schema Template) name (displayed by default when AD_IDMU is selected in LDAP Schema Template)
RFC2307 memberUid Attribute	Indicates the name of the RFC2307 memberUid attribute defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] memberUid
RFC2307 memberNisNetgroup Attribute	Indicates the name of the RFC2307 memberNisNetgroup attribute defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] memberNisNetgroup
RFC2307 nisNetgroupTriple Attribute	Indicates the name of the RFC2307 nisNetgroupTriple attribute defined by the schema. [Value range] The value contains 0 to 1024 characters. [Default value] nisNetgroupTriple
RFC2307bis Supported	Indicates whether to enable the RFC2307bis attribute for the schema.
RFC2307bis groupOfUniqueNames Object	Indicates the name of the RFC2307bis groupOfUniqueNames object class defined by the schema. This parameter is valid only when RFC2307bis Supported is enabled. [Value range] The value contains 0 to 1024 characters. [Default value] groupOfUniqueName
RFC2307bis uniqueMember Object	Indicates the name of the RFC2307bis uniqueMember attribute defined by the schema. This parameter is valid only when RFC2307bis Supported is enabled. [Value range] The value contains 0 to 1024 characters. [Default value] uniqueMember

Click OK.