Active IQ Unified Manager Discussions

LDAP Authentication for SSH sessions

WICKEDSHARK
4,190 Views

Hi I am looking for a way to enable LDAP authentication for when our admins access the systems via SSH for configuration. I was able to do this for the web sessions but I am still unable to access the system via SSH using LDAP/AD username and passwords.

Can anyone point in the direction on what I need to do to acomplish this task.

Thanks 

2 REPLIES 2

clilescapario
4,190 Views

Just looked at this last night, go search for TR-3464 it will answer all your ldap questions.

clilescapario
4,190 Views

The TR gives you almost all the info needed to get ssh working. By following the TR I was able to get my ldap users, groups, and netgroups visible to the filer. I was also able to get the usermapping working. What did not work out of the box was multiple group membership and ssh logins.

Take the following ldiffs for example.

# netappadmin, groups, example.com

dn: cn=netappadmin,ou=groups,dc=example,dc=com

objectClass: groupOfNames

objectClass: top

objectClass: posixGroup

member: uid=cliles,ou=people,dc=example,dc=com

cn: netappadmin

gidNumber: 10002

# sysadmin, groups, example.com

dn: cn=sysadmin,ou=groups,dc=example,dc=com

objectClass: top

objectClass: groupOfNames

objectClass: posixGroup

cn: sysadmin

gidNumber: 10001

member: uid=cliles,ou=people,dc=example,dc=com

# cliles, people, example.com

dn: uid=cliles,ou=people,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

objectClass: top

uid: cliles

uidNumber: 99999

gidNumber: 10001

loginShell: /bin/bash

homeDirectory: /export/home/wheel/cliles

memberOf: cn=sysadmin,ou=groups,dc=example,dc=com

memberOf: cn=netappadmin,ou=groups,dc=example,dc=com

The filer would only pickup my group membership to gidNumber 10001. It was not looking member attribute of groups, only following gidNumber. I found some more options that will help you specify the attribute for addition groups. For my group structure I'd set them as the following.

options ldap.nssmap.attribute.uniqueMember Member

options ldap.nssmap.objectClass.groupOfUniqueNames groupOfNames

After that, multiple group membership was working. For SSH access, I can only get it to work with key based auth, so you have to setup your ssh keys ahead of time. After keys are in place you should be able to verify a login, but once connected you'll have no permissions on the filer to run anything.

The next 2 options you'll need are:

options security.admin.authentication internal,nsswitch

options security.admin.nsswitchgroup netappadmin

Set like this you'll try internal users 1st, then fall back to your ldap group(s). Any user in the netappadmin group will be put in the admin role. security.admin.nsswitchgroup can take a string like "ldapgrp1:role1,ldapgrp2:role2".

Also, whatever you have for your user's gidNumber, there must be a group that exist with that gidNumber in ldap. If not, the filer will stop looking for additional groups and not grant permissions on login.

Public