11-03-2011 10:03 AM
I've been trying to get LDAP configured on a Fabric OS 6.4.1a. I’ve made some progress by following the documentation but it’s not quite working as I’d expect. This is a Windows 2008 R2 Domain, the brocade is using virtual fabrics (FIDs 128,10 & 20).
What I’ve done so far:
Import certificate on 2008 R2 Domain Controller (for secure LDAP)
Extend Schema with ‘brcdAdVfData’ attribute and assign this to the ‘user’ class.
Add the FID values of the virtual fabrics to the ‘brcdAdVfData’ attribute on the relevant user account (colon spererated) (e.g. 10:20:128)
Used ‘Adsiedit’ on the DC to configure the ‘adminDescription’ on CN=Users to HomeLF=10;LFRoleList=admin128,10,20;ChassisRole=ad
Used the following commands to configure LDAP from the FOS CLI:
aaaconfig –add <DC IP Address> –conf ldap –p 389 –d <Domain Name> –t 3
aaaconfig –authspec “ldap;local” –backup
ldapcfg –maprole <LDAP rolename> admin
Logon to Fabric OS CLI with name@FQDN - login appears to work.
The result is that I can login with my AD account from the CLI, but NOT from the GUI (I've tried 'hafailover' comand but it didn't fix the issue). Also, when I do log on to the CLI with my AD account, I have no admin permissions (e.g. if I issue a ‘ldapcfg –show’ command it returns “Invalid Chassis Role, Set Chassis context returns -1”.
I can’t figure out how to get the admin permissions and chassis admin role working, and GUI login for the AD account. Any advice appreciated.
11-04-2011 10:56 AM
I assume that you run into a bug of the FOS code which does not allow you to login to webtools. The official defect number is: "Defect ID: DEFECT000288021"
Try to install FOS 6.4.1b or higher to fix this issue.
If you are happy with this please rate the thread.
I hope this helps,
11-08-2011 05:22 AM
Thanks Andreas. I updated the firmware to v6.4.2b and it's fixed part of my problem in that I can now login to the GUI with my AD account. I'm still not getting the correct permissions from my AD account though I can only manage the 'base' virtual fabric' (128).
11-08-2011 05:33 AM
Check with userconfig --show which access rights you have got.
This will help you to find the correct settings.
Please have a look in the Admin Guide.You have to do on the SAN switch with ldapcfg a role mapping .
I have not implemented AD jet so far I can only talk about RADIUS.
There is a section in the admin guide "Adding an Admin Domain or Virtual Fabric list" which shows you how to implement the VF with LDAP.
11-08-2011 08:25 AM
Userconfig shows that my AD account has admin role on the base virtual fabric (128), but no chassis permissions. It also doesn't list any permissions for my other virtual fabrics (10 and 20). I've used the info from the admin guide ( HomeLF=10;LFRoleList=admin:128,10,20;ChassisRole=a
04-03-2013 09:20 AM
i read Brocade admin guide and found:
Add the user’s Administrative Domains or Virtual Fabrics to the CN_list by either editing the
adminDescription value or adding the brcdAdVfData attribute to the existing Active Directory
As far as i understand, you running FOS6.4.2 and win2008 AD. Where do you see the advantages/benefit of using brcdAdVfData attribute instead of editing adminDescription ? I am trying to understand if usage of brcdAdVfData attribute is depending on FOS version in use or depending on AD version in use. The old FOS6.4.0 admin guide only talks about editing the adminDescription.
Thanks for explanation