Shell Access to the Gateway via LDAP Credentials Not Working

book

Article ID: 210412

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

After configuring LDAP credentials as an authentication method for SSH access to the Gateway via the ssgconfig menu, users are still unable to gain shell access to the Gateway. 


We will see the following kinds of errors within /var/log/secure after the login attempt:

pam_faillock(sshd:auth): User unknown
Failed password for invalid user 

Cause

The SSG Config Menu assumes that the users used for ssh authentication are in a folder below the search base 
but that does not always have to be the case.  In this instance the users were located in the search base itself which is valid but was resulting in the failures being seen.

Environment

Gateway 10

Resolution

The following work around can be implemented to address this situation:

When configuring LDAP credentials using the guided menus as described in Option 4 - Configure Authentication Method, enter a temporary value in the part that asks Which object in the LDAP will be used to find the password for users. Once the menu selections have been completed, edit /etc/nslcd.conf to enter the desired value (e.g., 'ou=users') that identifies the location of the LDAP object for user passwords. This overrides the temporary value entered via the configuration menu. After entering the value, restart the nslcd daemon.

This is also outlined within our online documentation which can be referenced here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/release-notes/known-issues.html

 

Additional Information

This is a known defect within gateway version 10 which will be addressed in a future CR.