Configuring the LDAP Endpoint

This section describes how to configure the LDAP server endpoint and the associated filter mappings.

Based on the LDAP endpoint configuration, the LDAP endpoint authenticates itself with PCF to retrieve the subscriber details through the search query.

Note

Configuration changes to the LDAP endpoint cause the endpoint to restart automatically. Cisco recommends making such changes only within the maintenance window.

To configure the LDAP server endpoint, use the following configuration in the Policy Ops Center console:

config 
  ldap-server-endpoint 
  connect   
    bind-ip ip_address     
      port port_number 
    binddn username  
      password password 
    request-timeout timeout 
      replica replica_count 
    max-transactions maximum_transaction 
  health-check-attributes attribute_name 
    valueattribute_value 
  health-check-filter name attribute_name  
    valueattribute_value 
  ldap-clients client_name   
    passwordpassword 
  input-mapping filter_from_client 
  internal-lookup-key [ IMSI | IP_ADDRESS | MSISDN ] 
  output-mapping output_attribute_name   
    input session_attribute_name   
    end   
NOTES:
  • ldap-server-endpoint —Enters the LDAP server endpoint configuration mode.

  • connect —Enters the LDAP connection configuration.

  • bind-ip ip_address port port_number request-timeout timeout —Specify the external IP address and port number to which the LDAP client can connect to externally. The default port number is 9389.

  • binddn username password password —Specify the user DN, for example: cn=manager, ou=account, so=profile, and password for connecting to the LDAP server.

  • request-timeout timeout_duration —Specify the duration in milliseconds after which the request expires. The request awaits a response from the PCF engine. The default timeout value is 2000.

  • replica replica_count —Specify the replica count for the LDAP server.

  • max-transactions maximum_transaction —Specify the maximum number of transactions per second that each connection must process. The default value is 200.

  • health-check-attributes attribute_name value attribute_value —Specify the attribute name and value that the client receives as a response to the health check request.

  • health-check-filter name attribute_name value attribute_value —Specify the attribute name and value that distinguishes the health check request.

  • ldap-clients client_name password password —Specify the configuration that PCF uses to configure multiple client authentication parameters.

  • input-mapping filter_from_client —Specify the configuration to map the filter ID received from LDAP client and the internal-lookup-key. The accepted value must contain text string. For example, IMSI, MSISDN, framedIp, framedIpv6Prefix. You can configure the input mapping separately for frameIP, MSISDN, IMSI, and framedIpv6Prefix.

  • internal-lookup-key [ IMSI | IP_ADDRESS | MSISDN ] —Configures the internal lookup key.

  • output-mapping output_attribute_name input session_attribute_name —Specify the table that is used to defile the response attributes for the client. The response attribute name is mapped to the internal CPS session attributes for added flexibility.

    Note
    PCF does not process the requests for which the output-mapping configuration is missing. The response attributes contain only those values that are configured in the output mapping as input key.

    You can configure multiple supported keys only if they are available in the PCF session. The input keys can be duplicate but not the output values that you cannot configure two output-mappings with the same values.