Configuring LDAP

Procedure

Step 1 Enable LDAP function. By default, LDAP is disabled.

set system aaa ldap disable false

Step 2 (Optional) Configure the command-level, permit command and group-name, LDAP users in different groups have different permissions.

set system aaa ldap command-level <value> permit <command>

set system aaa ldap group <group-name> command-level <value>

NOTE:

Admins should implement a fine-grained privilege control policy that carefully configures the set of commands (by using command permit <command>) that can be executed for each user role. This process is designed to ensure that each user has access to only the system resources and operations necessary, thereby significantly improving system security and operational accuracy.

Step 3 Configure the IPv4 address and port of the LDAP server, user can configure up to two server IPs.

set system aaa ldap server-ip <ipv4-address> port <port>

Step 4 (Optional) Configure the shared secret text string used between the router and an LDAP server.

set system aaa ldap bind root-dn <txt>

set system aaa ldap bind password <encrypted-password>

Step 5 Specifies the distinguished name (DN) as search base.

set system aaa ldap base-dn <txt>

Step 6 (Optional) Specifies the time limit of a router waits for a response from an LDAP request.

set system aaa ldap search-timeout < value>

Step 7 (Optional) Specifies the search filter to be used in the search requests.

set system aaa ldap filter user-object-class <txt>

Step 8 Commit the configuration.

commit

Step 9 View the configuration information and status of LDAP.

run show ldap

show | display set

NOTE:

Users can use following command to view the permit command and command-level of them own.

show | display set