|
|
QPM-COPS interacts with LDAP directory servers for the following reasons:
These topics describe the following:
The projector is automatically installed as a service (Cisco QPM Projector) during the Installation process. It connects to the QPM Server and registers as a PDP. Directory server parameters such as host, port, bind DN (Distinguish Name of the user) and password are entered by the user and received by the QPM Server.
As illustrated in Figure 12-1, the QPM Server communicates with the Projector via the CORBA protocol and the Projector communicates with the Directory server via the LDAP protocol.
QPM uses the QoS Policy Schema (see http://search.ietf.org/internet-drafts/draft-ietf-policy-qos-schema-01.txt) to represent the QPM database in the Directory Server.
The LDAP Projection process is similar to the distribution from the QPM Server to the PDPs. When the user activates the policy distribution process, the QPM Server invokes the Projector. The Projector uses LDAP to write the policy information to the designated Directory Server. The entire policy database is written to the Directory Server in a predefined order. The LDAP Projector returns the result of the operation to the QPM Server after the projection process has ended successfully or an error occurred.
After every database deployment, a new QPMDIT (QPM Directory Information Tree) is written below the QpmRoot in the Directory Server. The DITManager object points to the Active (most recently deployed) DIT using the attribute qpmActiveDIT. A QPMDIT that is no longer active is automatically deleted after twenty minutes. (This is the default time.)
 |
Note Refer to specific vendor documentation for Directory Server setup. |
In QPM-COPS, an LDAP Projector is considered as a Deployment Agent when viewed from the Distribution Manager UI. The UI presents the Projector's status information as it would a regular PDP. Since the Projector represents only a copy of the QPM database, no devices are reported for the Projector in the UI.
Procedure
The LDAP Projector portion of the page is shown in Figure 12-1.
Before the QPM Server can distribute the QPM database information to the Directory Server, you must setup the system for Policy Export.
Procedure
Step 2 From the navigation tree, select Policy System Setup.
Step 3 From the Policy System Setup subtree, click Policy Export. The Policy Export Directory Settings page appears:
Step 4 In the IP/Host Name field, enter the name or IP address of the machine where the Directory Server is located.
Step 5 In the Port field, enter the LDAP port number.
Step 6 In the DIT Location field, enter the location (DN) where the root directory of the QPM database will be written on the Directory Server.
Step 7 The Authentication Method can be either Anonymous, Clear text password, or Strong Authorization. Anonymous will not usually allow write privileges. QPM currently supports Clear text password only.
Step 8 In the Bind DN (Distinguished Name) field, enter the DN of the user with at least read privileges for the DIT Location.
Step 9 In the Password field, enter the password of the user from Step 8.
Step 10 Click Save Settings to save the settings, verify the fields, and check whether the user has read permission. Write privileges are not verified at this time. If, for example, the Directory Server is down and you do not want to check the settings, clear the Check Settings check box to skip the verify procedure.
The schema is the definition of how the QPM database is organized on the Directory Server. Update LDAP Schema for Microsoft Active Directory and Netscape Server 4.1 or higher.
Procedure
Step 2 Enter the Authentication Method. (Clear text password is supported.)
Step 3 Enter the Bind DN of the user who has privileges to update the schema of the Directory Server.
Step 4 Enter the password of the user from Step 3.
Step 5 Click Check Schema to check if the QPM schema is already configured. (This step is not mandatory for updating a schema.) This operation can take a few minutes.
Step 6 Click Update Schema to install the schema into the Directory Server. When the update is complete, Schema was updated is displayed. This operation can take a few minutes.
|
Note In the case of Check Schema or Update Schema, connection/authorization is done first and check/update is done second. If either (or both) the Bind DN or the password is incorrect, you will receive a warning message and the check/update will not continue. |
|
Note For Netscape Server 4.0 or below, see Netscape Directory Server for update instructions. |
QPM-COPS includes the policy schema definition files under the installation directory (per Directory Server type). During the Policy System Setup process, these files are used by QPM to remotely check whether the target directory's schema is updated and if not, upon specific user request, update the Directory Server with the schema information. This setup function is performed using standard LDAP requests.
The following topics give specific information for different Directory Servers:
To allow schema update in Active Directory, you must set your system to allow schema updates. This is not set automatically.
|
Note To update the schema, the user must have a valid (and not a null) password. An authenticated user with a null password will fail. |
Procedure
Step 2 Click Start>Run and enter MMC (Microsoft Management Console).
Step 3 Select the Console menu.
Step 4 Select Add/Remove Snap In.
Step 5 Click Add.
Step 6 Select Active Directory Schema.
Step 7 Click Add.
Step 8 Click Close.
Step 9 Click OK.
Step 10 Select the Console menu.
Step 11 Select Save (Console1).
Step 12 Select Console1.
Step 13 Expand Console Root.
Step 14 Right-click Active Directory Schema.
Step 15 Select Operation Master.
Step 16 In the Change Schema Master dialog box, click the check box that corresponds to The Schema may be modified on this Domain Controller.
Step 17 Click OK. (See Figure 12-6)
|
Note The default Bind DN for Microsoft Active Directory is: cn=Administrator,cn=users,DC=<Domain Controller>,DC=<organization>,DC=<com> |
|
Note The DIT Location in Microsoft Active Directory must be of type Domain DNS, Organization, or OrganizationalUnit. |
Updating the schema for Netscape Directory Server version 4.1 and above is done via the UI. For versions 4.0 and below, updating the schema is done via configuration files.
|
Note QPM inserts ACI (Access Control Information) to avoid anonymous reads. If you use the Netscape console to view QPM information in the Directory Server, note that QPM information cannot be viewed using anonymous credentials. You must enter the proper credentials. See "Troubleshooting QPM-COPS" for more information. |
Procedure
Step 2 Paste the files into the directory
<Netscape home directory> / Server<Version Number> / slapd-<Host Name> / config
Step 3 Restart the Directory Server using one of the following:
|
Note The default Bind DN for Netscape Directory Server is: cn=directory manager |
CNR (Cisco Network Registrar) is another product of Cisco, Inc. This product manages user groups and IP addresses. The information is stored on an LDAP Active Directory Server. CNR provides scalable, feature-rich DNS and DHCP servers, which provide naming an configuration services in an IP network. The primary objective of CNR is to use a directory service to provide a central repository of IP addresses and DNS data for large enterprise and service provider customers. CNR also allows you to control administrative access to IP address data by network, subnet, or address and DNS data by domain, zone, or name.
In QPM, you can define policies for specific groups. During policy distribution, the group information is retrieved from CNR. QPM replaces group information with actual IP addresses and forwards this information to the devices. QPM-COPS offers user groups for either source or destination IP address selection. These user groups are one of the attributes that can be set in Filters, and can be used to map address ranges into router Access Control Lists (ACLs). Careful design and use of CNR selection tags can reduce the potentially large ACLs produced by QPM.
For more information on CNR, contact your sales account manager.
This section discusses the following topics:
|
Note Refer to specific vendor documentation for Directory Server setup. |
Before the QPM Server can use CNR information from the Directory Server, you must setup the system for CNR Import.
|
Note Contact your CNR Administrator to verify that QPM is defined in CNR with at least read permission. |
Procedure
Step 2 From the navigation tree, select Policy System Setup.
Step 3 From the Policy System Setup subtree, click CNR Import. The CNR Import Directory Settings page appears:
Step 4 In the IP/Host Name field, enter the name or IP address of the machine where the Directory Server is located.
Step 5 In the Port field, enter the LDAP port number.
Step 6 In the DIT Location field, enter the root directory of the QPM database on the Directory Server.
Step 7 The Authentication Method can be either Anonymous, Clear text password, or Strong Authorization. Anonymous will not usually allow write privileges. QPM currently supports Clear text password only.
Step 8 In the Bind DN (Distinguished Name) field, enter the ID of the user with write privileges for the DIT Location.
Step 9 In the Password field, enter the password of the Bind DN user.
Step 10 Click Save Settings to save the settings but not verify them. (You might do this if the Directory Server is down.) If, for example, the Directory Server is down and you do not want to check the settings, clear the Check Settings check box to skip the verify procedure.
Step 11 Click Retrieve User Groups to get a listing of all user groups that are valid for QPM. All settings are automatically saved at this time. The following page appears with the valid groups.
This page shows the following information:
Click a CNR tag to bring up the following page:
The Address Pool table shows the Subnet Address, Mask, and IP address range for this group.
The CNR User Groups are used in conjunction with QPM when defining filters for a policy. Define the Source or Destination of the traffic you want to identify by specifying a User Group from those that were imported from CNR.
For more information, see "Working with Roles and Policies."
Posted: Mon Jun 12 04:49:41 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
