09-04-2017 11:28 PM
I have a problem i hope you can help me solve.
In our SAN environment we have 6 director switches. Until now we havent used AD integration for users but we wanna establish this now. The problem is that some of the switches earlier was partitioned, and that makes a problem when trying to log on to a specifik context when allready logged onto the base. I have used these commands so far:
aaaconfig --add <ipadress> -conf ldap -p 389 -d <domain.name> -t 3
aaaconfig --authspec "ldap;local"
ldapcfg --maprole "Domain.group" admin
so now our domain group is mapped to the role admin. When i logged on to the patitioned switch and wanna change to context 30, i get the error: VF Permission for fid 30 is denied.
output from userconfig --show
Account name: gun0014
Description: Remote Account
Password Last Change Date: Unknown (UTC)
Password Expiration Date: Not Applicable (UTC)
Home LF Role: admin
Role-LF List: admin: 128
No chassis permission
Home LF: 128
i guess its because that Role-LF List admin is 128 and not 1-128. Isin't there any simple command that i can make the role "admin" witch is associated with the AD group, access 1-128?? im sure this would solve the problem. Im not interested in converting the switch into only being a base switch again.
The switch is a DCX running FOS v7.4.1e
I really hope someone can help.
09-05-2017 04:40 AM
you are right, the user need to have FID 30 in the LF list. In 7.4.1e, you only choice it two
1. update the adminDescription attribute of the user in AD to something like
2. Add a new attribute brcdAdVfData as Unicode String to AD, and for the user below set the value as in (1)
With 7.4.2 and onwards you have the mapattr option in tle ldapcfg
"The ldapCfg command supports a new option --mapattr to assign a list of vendor specific attributes. This enhances the LDAP configuration support for Brocade vendor specific attributes, such as chassis role, home logical fabric (LF), and LF list to be assigned per LDAP server group."
So, you can use a command like
ldapCfg -mapattr "Domain.group" -l "admin:1-128" -h 30 -c admin
09-05-2017 05:34 AM
Thanks alot for your reply
It was exactly this command i was seeking "ldapCfg -mapattr "Domain.group" -l "admin:1-128" -h 30 -c admin"
We are on our way to update the core switches and i will use this command just after this upgrade.
We allready have a minor switch model 2498-F48 running FOS v8.0.1b (so i just tried to see what was possible)
On this switch i tried to write this command: "ldapcfg --help"
but the output was:
AKUT-HE_SW201A:FID128:admin> ldapcfg --help
--help: display this screen
--show: display all the mapped entries
--maprole <LDAP rolename> <switch rolename>:
creates a new mapping of ldap role with switch role
--unmaprole <LDAP rolename>:
delete an existing mapping of ldap role
Does this mean that I haven't got the option to do -mapattr on this kind of switch?
I actually thought it was possible here because of your input about the FOS version :-)
09-05-2017 05:48 AM
it is 7.4.2 (RN), 8.1.0 (RN), but I have not seen it in 8.0.x yet (last release is 8.0.2c).
09-05-2017 06:45 AM
Okay, im just a little confused now.
If it is in 7.4.2(RN). Shouldn't it apply to all the following FOS versions then?
Or does Brocade work on different tracks in FOS 7.x.x and 8.x.x ?
Thanks for your fast replies.
09-05-2017 06:54 AM
I expected it to be in 8.0.2x something, but as far I have seen it is only in 7.4.2 (maintenance) release which was released in April 2017 and in 8.1.0 (March 2017). I would have expected to be in any 8.0.x released after April/March, which leave 8.0.2c in fact. I will be pinging the Product Manager to see for any future 8.0.2x release it can be included or not. It is not enough to look at release number, but also dates when the features where introducted.
09-05-2017 07:09 AM
Thanks alot. Is it possible to be contacted when you have talked to a product manager?
I really would like to know more about this and wich FOS versions i can expect it to be a part of. We have quite a big environment and it seems to me that this little attribute would be quite an easy way to fix this for us.
I appreciate your help