LDAP Service Provider


There are features and functions used in Arista NetVisor UNUM and Insight Analytics that are common throughout the user interface (UI). Please refer to the Common Functions section for more information on the use of these functions and features.


The following example details connecting NetVisor UNUM to a third-party LDAP Service Provider.


Prerequisites


To configure NetVisor UNUM to use LDAP, you need the following information in advance.


Type – Type of Authentication Service used on the domain, either LDAP, AD or, possibly both. 

Server URL – The LDAP server or service provider name and type of connection supported, either LDAPS (secure) or LDAP (non-secure), and the port numbers assigned to these servers, typically 636 and 389, respectively.

Base DN – The name of the base organization and domain name.

Manager DN (Distinguished Name) – The distinguished name (DN) used for the LDAP manager. This name is the account with admin-level privileges and allowed access to the LDAP server or service provider. This may exist as a UID (User ID) or a CN (Common Name). A Manager DN account name must be a binding user within the LDAP service.

Manager Password –  The password for the admin-level account.

User DN Patterns – DN patterns used for simple bind authentication. These are the groups where user accounts exist.

User Search Filter – Any search filters. Specific filters used by your LDAP service provider.


LDAP Service Provider Settings


Type: LDAP

Server URL: ldap.jumpcloud.com on Port 389

Base DN: 

Manager DN: uid=admin,ou=Users,o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com (some data obscured for security purposes)

Password: <password>

User DN Pattern: uid={0},ou=Users

User Search Filter: (objectClass=inetOrgPerson)


Usage Note:

After the initial configuration phase, you can test the connection using the built-in NetVisor UNUM test feature. However, this is only a pass/fail test and does not provide any troubleshooting information.

Arista Networks recommends using a third-party LDAP tool or OS commands to access and view the LDAP server or service provider to review the structure and required parameters.


OS Commands


In the following example, running the ldapsearch command on Linux or macOS returns useful information regarding the LDAP service structure.


ldapsearch -H ldap://ldap.jumpcloud.com:389 -ZZ -x -b "ou=Users,o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com" -D "uid=admin,ou=Users,o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"


Command Syntax


-H - LDAP URL

-ZZ - Issue StartTLS (Transport Layer Security) extended operation.

-x - Simple Authentication

-b - Base DN or Search Base starting point.

ou - Organizational Unit

o - Organization Account

dc - domain specifics

-D - Manager DN 

-W - Prompt for password


Note: To view detailed information regarding the ldapsearch command use the following command:

man ldapsearch


After entering the above command string and, if the connection is successful, enter the password associated with the account bound to the service.


In this example, the bound account is: admin


You should receive a prompt to enter the password, or if you receive an error message, you will need to re-verify the LDAP settings.


A successful login displays information, as illustrated in the following example.




NetVisor UNUM LDAP Configuration


After confirming the login settings proceed to add the LDAP server or service provider to NetVisor UNUM selecting Menu Bar → → Auth Server from NetVisor UNUM.


The following dashboard displays when first configuring an Authentication Server if no previous servers exist.




Add Authentication Server


Click the Add Auth Server button to begin.


Enter the information for your server or service provider. 


Example Information


Type = LDAP

Server URL = ldaps

Hostname = ldap.jumpcloud.com 

Port = 636 (using a secure ldaps connection)

Base DN = o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com

Manager DN = uid=admin, ou=Users, o=xxxxxxxxxxxxxxxxxxxxbfd8,dc=jumpcloud,dc=com

Password = ldap_password associated with the Manager DN account

User DN Pattern = uid={0},ou=Users

User Search Filter = (objectClass=jumpcloudUser)




Click the Add button.




The new LDAP server or service provider displays in the dashboard.


Test the connection using the Test button.


Enter an LDAP user account name and the associated password and click Test. It is recommended to test with an admin-level account.




When the selected user name exists and the password is correct, NetVisor UNUM returns a "success" message.




You can use any user account which exists in the LDAP service to test the connection.




If the selected user name does not exist or the password is incorrect, NetVisor UNUM returns a "failed" message. 




As previously stated, this is only a pass/fail test, which does not provide any troubleshooting information.


If you encounter a failure, try re-entering the user name and password. The ldapsearch command, described above, provides useful information to aid in troubleshooting.


In this example, we see the user "cool" exists in the LDAP service. 




Verify the password is correct and re-test.


When in doubt, use an admin-level account to re-verify connectivity.


The ldapsearch command, described above, provides useful information to aid in troubleshooting.


Note:

1)

If the test fails, carefully review all settings.

2)

Verify the Server name is resolvable. Use the IP address in place of the Server name.

3)

If using the IP address works, verify the DNS settings and ping the server using the FQDN.


Edit LDAP Settings


Use the Cog icon and select Edit to make changes to the LDAP Server settings.





Click Update to save the revised settings.


Logging in to NetVisor UNUM


After LDAP account verification is successful, login into NetVisor UNUM using LDAP credentials. In the following example, "cool" is the LDAP user name.



Once logged into NetVisor UNUM, the LDAP user is assigned a User Role and can view NetVisor UNUM dashboards.


Note the LDAP user name (illustrated in red for example purposes).



Note: NetVisor UNUM assigns an LDAP account to a User Role, and they do not appear in the Local User Management dashboard.



LDAP User Roles: 

NetVisor UNUM currently supports two roles, User and Local Admin. NetVisor UNUM assigns all LDAP or AD users to the User Role in NetVisor UNUM.

NetVisor UNUM ignores any assigned LDAP or AD roles.

Please refer to Manage Users for more information about these roles. 


Troubleshooting Tools


There are numerous tools to aid in troubleshooting LDAP connectivity problems. 


However, first and foremost, verify all settings are correct and match your LDAP Service Provider or AD/LDAP Server requirements.


Some of the tools that exist include:


OS Tools


LDAPSEARCH - Unix, Linux, mac OS

TCPDump - Unix, Linux, mac OS


Windows Tools


LDP.EXE

Active Directory Explorer

Active Directory Users and Computers


Third-Party Tools


LDAP Admin (UI-based tool)

TCPDUMP for Windows


The above is not an exhaustive list and only intended to provide you with several options readily available to assist in troubleshooting LDAP connectivity issues.


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south