LDAP Authentication for SSH sessions
2011-09-29 02:54 PM
Hi I am looking for a way to enable LDAP authentication for when our admins access the systems via SSH for configuration. I was able to do this for the web sessions but I am still unable to access the system via SSH using LDAP/AD username and passwords.
Can anyone point in the direction on what I need to do to acomplish this task.
2 REPLIES 2
Re: LDAP Authentication for SSH sessions
2012-01-06 05:35 PM
The TR gives you almost all the info needed to get ssh working. By following the TR I was able to get my ldap users, groups, and netgroups visible to the filer. I was also able to get the usermapping working. What did not work out of the box was multiple group membership and ssh logins.
Take the following ldiffs for example.
# netappadmin, groups, example.com
# sysadmin, groups, example.com
# cliles, people, example.com
The filer would only pickup my group membership to gidNumber 10001. It was not looking member attribute of groups, only following gidNumber. I found some more options that will help you specify the attribute for addition groups. For my group structure I'd set them as the following.
options ldap.nssmap.attribute.uniqueMember Member
options ldap.nssmap.objectClass.groupOfUniqueNames groupOfNames
After that, multiple group membership was working. For SSH access, I can only get it to work with key based auth, so you have to setup your ssh keys ahead of time. After keys are in place you should be able to verify a login, but once connected you'll have no permissions on the filer to run anything.
The next 2 options you'll need are:
options security.admin.authentication internal,nsswitch
options security.admin.nsswitchgroup netappadmin
Set like this you'll try internal users 1st, then fall back to your ldap group(s). Any user in the netappadmin group will be put in the admin role. security.admin.nsswitchgroup can take a string like "ldapgrp1:role1,ldapgrp2:role2".
Also, whatever you have for your user's gidNumber, there must be a group that exist with that gidNumber in ldap. If not, the filer will stop looking for additional groups and not grant permissions on login.