Contents
1 Introduction
This document describes how to configure Transport Layer Security (TLS) between LDAP Server and the Management Element (ME).
Authentication of the LDAP server and the ME, and encryption of the LDAP communication, are established by Public-Key Infrastructure (PKI) X.509 certificates.
TLS connection uses the system-wide TLS cipher suite configured in the managed object Tls see OPI Configure TLS Ciphers.
1.1 Prerequisites
This section describes the prerequisites, which must be fulfilled before using the procedure.
1.1.1 Conditions
The following conditions must apply:
- The user has the System Security Administrator role.
- The LDAP server is set up for TLS and has an X.509 certificate.
- The x.509 certificate that the LDAP server sends to the ME to set up TLS is constructed properly: The subjectAltName (or subject) field in the certificate contains the Uniform Resource Identifier (URI), which is configured in the ME to reach the LDAP server. That is, the attribute ldapIpAddress in Ldap Managed Object (MO).
- The MO for the node credential certificate for LDAP TLS is known.
- The MO for the trust category for LDAP TLS is known.
- An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.
2 Procedure
- Navigate to the Ldap MO, for example:
>dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1
- Enter Config mode:
(Ldap=1)>configure
- Set ldapIpAddress to the IP
address of the remote LDAP server, for example:
(config-Ldap=1)>ldapIpAddress="192.168.0.10"
- Optionally, set the fallbackLdapIpAddress to be used when the primary LDAP server is down, for example:
(config-Ldap=1)>fallbackLdapIpAddress="192.168.0.11"
- Configure the baseDn from where
the LDAP server starts to search for users, for example:
(config-Ldap=1)>baseDn="dc=my-domain,dc=com"
- If LDAP server is listening to a non-default port, then
the serverPort must be set, for example:
(config-Ldap=1)>serverPort=1000
Enable TLS and Set the TlsMode in Ldap MO
- Enable TLS
(config-Ldap=1)>useTls=true
- Optionally, configure the tlsMode attribute, for example:
(config-Ldap=1)>tlsMode=LDAPS
Configure Certificates to Be Used for TLS
- Set the reference to the applicable trust category, for
example:
(config-Ldap=1)>trustCategory="ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,CertM=1,TrustCategory=1"
- Optionally, set the reference to the applicable node credential
certificate, for example:
(config-Ldap=1)>nodeCredential="ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=1"
- Note:
- It is mandatory to set the reference to the applicable node credential certificate if LDAP server requires a certificate for TLS.
- Commit the setting:
(config-Ldap=1)>commit
- Verify the result:
(Ldap=1)>show
The following is an example output:
Ldap=1 baseDn="dc=my-domain,dc=com" fallbackLdapIpAddress="192.0.2.11" ldapIpAddress="192.0.2.10" nodeCredential="ManagedElement=NODE06ST,SystemFunctions=1,⇒ SecM=1,CertM=1,NodeCredential=1" serverPort=1000 tlsMode=LDAPS trustCategory="ManagedElement=NODE06ST,SystemFunctions=1,⇒ SecM=1,CertM=1,TrustCategory=1" userLabel="LDAP based login authentication" useTls=true [...]
- Note:
- If attribute useTls in Ldap MO is set to true, then either one of
the following conditions must be met
- Only trustCategory is set
- Both nodeCredential and trustCategory are set.
If these conditions are not met, depending on the configuration one of the following error messages is reported to NBI during commit or validate operation:
- Error: neither nodeCredential nor trustCategory is available
- Error: trustCategory is not available