LDAP Service Provider
LDAP Service Provider
There are features and functions used in Arista NetVisor UNUM and Insight Analytics that are common throughout the user interface (UI). Please refer to the Common Functions section for more information on the use of these functions and features.
The following example details connecting NetVisor UNUM to a third-party LDAP Service Provider.
Prerequisites
To configure NetVisor UNUM to use LDAP, you need the following information in advance.
•Type – Type of Authentication Service used on the domain, either LDAP, AD or, possibly both.
•Server URL – The LDAP server or service provider name and type of connection supported, either LDAPS (secure) or LDAP (non-secure), and the port numbers assigned to these servers, typically 636 and 389, respectively.
•Base DN – The name of the base organization and domain name.
•Manager DN (Distinguished Name) – The distinguished name (DN) used for the LDAP manager. This name is the account with admin-level privileges and allowed access to the LDAP server or service provider. This may exist as a UID (User ID) or a CN (Common Name). A Manager DN account name must be a binding user within the LDAP service.
•Manager Password – The password for the admin-level account.
•User DN Patterns – DN patterns used for simple bind authentication. These are the groups where user accounts exist.
•User Search Filter – Any search filters. Specific filters used by your LDAP service provider.
LDAP Service Provider Settings
Type: LDAP
Server URL: ldap.jumpcloud.com on Port 389
Base DN:
Manager DN: uid=admin,ou=Users,o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com (some data obscured for security purposes)
Password: <password>
User DN Pattern: uid={0},ou=Users
User Search Filter: (objectClass=inetOrgPerson)
Usage Note:
After the initial configuration phase, you can test the connection using the built-in NetVisor UNUM test feature. However, this is only a pass/fail test and does not provide any troubleshooting information.
Arista Networks recommends using a third-party LDAP tool or OS commands to access and view the LDAP server or service provider to review the structure and required parameters.
OS Commands
In the following example, running the ldapsearch command on Linux or macOS returns useful information regarding the LDAP service structure.
ldapsearch -H ldap://ldap.jumpcloud.com:389 -ZZ -x -b "ou=Users,o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com" -D "uid=admin,ou=Users,o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)" |
Command Syntax
•-H - LDAP URL
•-ZZ - Issue StartTLS (Transport Layer Security) extended operation.
•-x - Simple Authentication
•-b - Base DN or Search Base starting point.
•ou - Organizational Unit
•o - Organization Account
•dc - domain specifics
•-D - Manager DN
•-W - Prompt for password
Note: To view detailed information regarding the ldapsearch command use the following command:
man ldapsearch |
After entering the above command string and, if the connection is successful, enter the password associated with the account bound to the service.
In this example, the bound account is: admin
You should receive a prompt to enter the password, or if you receive an error message, you will need to re-verify the LDAP settings.
A successful login displays information, as illustrated in the following example.
NetVisor UNUM LDAP Configuration
After confirming the login settings proceed to add the LDAP server or service provider to NetVisor UNUM selecting Menu Bar → → Auth Server from NetVisor UNUM.
The following dashboard displays when first configuring an Authentication Server if no previous servers exist.
Add Authentication Server
Click the Add Auth Server button to begin.
Enter the information for your server or service provider.
Example Information
Type = LDAP
Server URL = ldaps
Hostname = ldap.jumpcloud.com
Port = 636 (using a secure ldaps connection)
Base DN = o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com
Manager DN = uid=admin, ou=Users, o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com
Password = ldap_password associated with the Manager DN account
User DN Pattern = uid={0},ou=Users
User Search Filter = (objectClass=jumpcloudUser)
Click the Add button.
The new LDAP server or service provider displays in the dashboard.
Test the connection using the Test button.
Enter an LDAP user account name and the associated password and click Test. It is recommended to test with an admin-level account.
When the selected user name exists and the password is correct, NetVisor UNUM returns a "success" message.
You can use any user account which exists in the LDAP service to test the connection.
If the selected user name does not exist or the password is incorrect, NetVisor UNUM returns a "failed" message.
As previously stated, this is only a pass/fail test, which does not provide any troubleshooting information.
If you encounter a failure, try re-entering the user name and password. The ldapsearch command, described above, provides useful information to aid in troubleshooting.
In this example, we see the user "cool" exists in the LDAP service.
Verify the password is correct and re-test.
When in doubt, use an admin-level account to re-verify connectivity.
The ldapsearch command, described above, provides useful information to aid in troubleshooting.
Note:
1) |
If the test fails, carefully review all settings. |
2) |
Verify the Server name is resolvable. Use the IP address in place of the Server name. |
3) |
If using the IP address works, verify the DNS settings and ping the server using the FQDN. |
Edit LDAP Settings
Use the Cog icon and select Edit to make changes to the LDAP Server settings.
Click Update to save the revised settings.
Logging in to NetVisor UNUM
After LDAP account verification is successful, login into NetVisor UNUM using LDAP credentials. In the following example, "cool" is the LDAP user name.
Once logged into NetVisor UNUM, the LDAP user is assigned a User Role and can view NetVisor UNUM dashboards.
Note the LDAP user name (illustrated in red for example purposes).
Note: NetVisor UNUM assigns an LDAP account to a User Role, and they do not appear in the Local User Management dashboard.
LDAP User Roles:
NetVisor UNUM currently supports two roles, User and Local Admin. NetVisor UNUM assigns all LDAP or AD users to the User Role in NetVisor UNUM.
NetVisor UNUM ignores any assigned LDAP or AD roles.
Please refer to Manage Users for more information about these roles.
Troubleshooting Tools
There are numerous tools to aid in troubleshooting LDAP connectivity problems.
However, first and foremost, verify all settings are correct and match your LDAP Service Provider or AD/LDAP Server requirements.
Some of the tools that exist include:
OS Tools
•LDAPSEARCH - Unix, Linux, mac OS
•TCPDump - Unix, Linux, mac OS
Windows Tools
•LDP.EXE
•Active Directory Explorer
•Active Directory Users and Computers
Third-Party Tools
•LDAP Admin (UI-based tool)
•TCPDUMP for Windows
The above is not an exhaustive list and only intended to provide you with several options readily available to assist in troubleshooting LDAP connectivity issues.