https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/LDAP-Authentication-for-SSH-sessions/m-p/27913#M5851 <HTML><HEAD></HEAD><BODY><P>The TR gives you almost all the info needed to get ssh working. By following the TR I was able to get my ldap users, groups, and netgroups visible to the filer. I was also able to get the usermapping working. What did not work out of the box was multiple group membership and ssh logins.</P><P></P><P>Take the following ldiffs for example.</P><P></P><P># netappadmin, groups, example.com</P><P>dn: cn=netappadmin,ou=groups,dc=example,dc=com</P><P>objectClass: groupOfNames</P><P>objectClass: top</P><P>objectClass: posixGroup</P><P>member: uid=cliles,ou=people,dc=example,dc=com</P><P>cn: netappadmin</P><P>gidNumber: 10002</P><P></P><P># sysadmin, groups, example.com</P><P>dn: cn=sysadmin,ou=groups,dc=example,dc=com</P><P>objectClass: top</P><P>objectClass: groupOfNames</P><P>objectClass: posixGroup</P><P>cn: sysadmin</P><P>gidNumber: 10001</P><P>member: uid=cliles,ou=people,dc=example,dc=com</P><P></P><P># cliles, people, example.com</P><P>dn: uid=cliles,ou=people,dc=example,dc=com</P><P>objectClass: inetOrgPerson</P><P>objectClass: posixAccount</P><P>objectClass: shadowAccount</P><P>objectClass: top</P><P>uid: cliles</P><P>uidNumber: 99999</P><P>gidNumber: 10001</P><P>loginShell: /bin/bash</P><P>homeDirectory: /export/home/wheel/cliles</P><P>memberOf: cn=sysadmin,ou=groups,dc=example,dc=com</P><P>memberOf: cn=netappadmin,ou=groups,dc=example,dc=com</P><P></P><P>The filer would only pickup my group membership to gidNumber 10001. It was not looking member attribute of groups, only following gidNumber. I found some more options that will help you specify the attribute for addition groups. For my group structure I'd set them as the following. </P><P></P><P>options ldap.nssmap.attribute.uniqueMember Member</P><P>options ldap.nssmap.objectClass.groupOfUniqueNames groupOfNames</P><P></P><P></P><P>After that, multiple group membership was working. For SSH access, I can only get it to work with key based auth, so you have to setup your ssh keys ahead of time. After keys are in place you should be able to verify a login, but once connected you'll have no permissions on the filer to run anything.</P><P></P><P>The next 2 options you'll need are:</P><P></P><P>options security.admin.authentication internal,nsswitch</P><P>options security.admin.nsswitchgroup netappadmin</P><P></P><P>Set like this you'll try internal users 1st, then fall back to your ldap group(s). Any user in the netappadmin group will be put in the admin role. security.admin.nsswitchgroup can take a string like "ldapgrp1:role1,ldapgrp2:role2". </P><P></P><P>Also, whatever you have for your user's gidNumber, there must be a group that exist with that gidNumber in ldap. If not, the filer will stop looking for additional groups and not grant permissions on login.</P></BODY></HTML> Sat, 07 Jan 2012 01:35:18 GMT clilescapario 2012-01-07T01:35:18Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/LDAP-Authentication-for-SSH-sessions/m-p/27902#M5844 <HTML><HEAD></HEAD><BODY><P>Hi I am looking for a way to enable LDAP authentication for when our admins access the systems via SSH for configuration. I was able to do this for the web sessions but I am still unable to access the system via SSH using LDAP/AD username and passwords. </P><P></P><P>Can anyone point in the direction on what I need to do to acomplish this task. </P><P></P><P>Thanks&nbsp; </P></BODY></HTML> Thu, 05 Jun 2025 06:44:43 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/LDAP-Authentication-for-SSH-sessions/m-p/27902#M5844 WICKEDSHARK 2025-06-05T06:44:43Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/LDAP-Authentication-for-SSH-sessions/m-p/27907#M5847 <HTML><HEAD></HEAD><BODY><P>Just looked at this last night, go search for TR-3464 it will answer all your ldap questions.</P></BODY></HTML> Wed, 19 Oct 2011 20:16:29 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/LDAP-Authentication-for-SSH-sessions/m-p/27907#M5847 clilescapario 2011-10-19T20:16:29Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/LDAP-Authentication-for-SSH-sessions/m-p/27913#M5851 <HTML><HEAD></HEAD><BODY><P>The TR gives you almost all the info needed to get ssh working. By following the TR I was able to get my ldap users, groups, and netgroups visible to the filer. I was also able to get the usermapping working. What did not work out of the box was multiple group membership and ssh logins.</P><P></P><P>Take the following ldiffs for example.</P><P></P><P># netappadmin, groups, example.com</P><P>dn: cn=netappadmin,ou=groups,dc=example,dc=com</P><P>objectClass: groupOfNames</P><P>objectClass: top</P><P>objectClass: posixGroup</P><P>member: uid=cliles,ou=people,dc=example,dc=com</P><P>cn: netappadmin</P><P>gidNumber: 10002</P><P></P><P># sysadmin, groups, example.com</P><P>dn: cn=sysadmin,ou=groups,dc=example,dc=com</P><P>objectClass: top</P><P>objectClass: groupOfNames</P><P>objectClass: posixGroup</P><P>cn: sysadmin</P><P>gidNumber: 10001</P><P>member: uid=cliles,ou=people,dc=example,dc=com</P><P></P><P># cliles, people, example.com</P><P>dn: uid=cliles,ou=people,dc=example,dc=com</P><P>objectClass: inetOrgPerson</P><P>objectClass: posixAccount</P><P>objectClass: shadowAccount</P><P>objectClass: top</P><P>uid: cliles</P><P>uidNumber: 99999</P><P>gidNumber: 10001</P><P>loginShell: /bin/bash</P><P>homeDirectory: /export/home/wheel/cliles</P><P>memberOf: cn=sysadmin,ou=groups,dc=example,dc=com</P><P>memberOf: cn=netappadmin,ou=groups,dc=example,dc=com</P><P></P><P>The filer would only pickup my group membership to gidNumber 10001. It was not looking member attribute of groups, only following gidNumber. I found some more options that will help you specify the attribute for addition groups. For my group structure I'd set them as the following. </P><P></P><P>options ldap.nssmap.attribute.uniqueMember Member</P><P>options ldap.nssmap.objectClass.groupOfUniqueNames groupOfNames</P><P></P><P></P><P>After that, multiple group membership was working. For SSH access, I can only get it to work with key based auth, so you have to setup your ssh keys ahead of time. After keys are in place you should be able to verify a login, but once connected you'll have no permissions on the filer to run anything.</P><P></P><P>The next 2 options you'll need are:</P><P></P><P>options security.admin.authentication internal,nsswitch</P><P>options security.admin.nsswitchgroup netappadmin</P><P></P><P>Set like this you'll try internal users 1st, then fall back to your ldap group(s). Any user in the netappadmin group will be put in the admin role. security.admin.nsswitchgroup can take a string like "ldapgrp1:role1,ldapgrp2:role2". </P><P></P><P>Also, whatever you have for your user's gidNumber, there must be a group that exist with that gidNumber in ldap. If not, the filer will stop looking for additional groups and not grant permissions on login.</P></BODY></HTML> Sat, 07 Jan 2012 01:35:18 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/LDAP-Authentication-for-SSH-sessions/m-p/27913#M5851 clilescapario 2012-01-07T01:35:18Z