Implemented Option 4 - Configure Authentication Method (SSH to Gateway with LDAP Users Support)
Error Access Denied during SSH
Gateway 11.x
The SSSD works with Active Directory out of the box, if you are using different LDAP (i.e. OpenLDAP) need additional configuration of the /etc/ssd.conf to find/authenticate/authorization for different customer attributes
How to config/find and authenticate/authorizes users for SSH Access. There are two approaches: group access or attribute based access
Groups based authorization - Group defined in the LDAP where user who can SSH to gateway are added
See KB 275559
Attribute based authorization - Determine the attribute and value to be used to allow users who can SSH to the gateway
Example tested user attribute employeeNumber with value 4000
This allows users to SSH who enter a valid ID/Password and have attribute employeeNumber set to 4000
Configured in SSGCONFIG Menu
(Optional) Enter the user search filter. Example: dc=l7tech,dc=com?subtree?(gidNumber=4000) [dc=l7tech,dc=com?subtree?(employeeNumber=4000)]:
Need to also manually add the following entries to the domain/ldap section of /etc/sssd/ssd.conf, then restart sssd
ldap_user_uid_number = employeeNumber
auto_private_groups = True
debug_level = 9
Sample sssd.conf
#Domain Section and Server Details
[domain/ldap]
id_provider = ldap
ldap_uri = ldap://<LDAP_DNS_NAME>:<LDAP_Port>
ldap_default_bind_dn = cn=Manager,<baseDN>
ldap_default_authtok = <password>
ldap_user_name = uid
ldap_user_object_class = inetOrgPerson
ldap_tls_reqcert = allow
ldap_search_base = <search base>
ldap_user_search_base = <user_search_base>?subtree?(employeeNumber=4000)
cache_credentials = True
default_shell = /bin/bash
use_fully_qualified_names = False
override_homedir = /home/%u
access_provider = simple
simple_allow_groups = RootUser,NonRootUser
dyndns_update = false
ldap_user_uid_number = employeeNumber
auto_private_groups = True
debug_level = 9
Added debug_level = 9 to the [domain/ldap] section of the /etc/sssd.conf file and restarted sssd for additional debug information
/var/log/sssd/sssd_ldap.log shows failed search for user
(2024-11-06 12:28:28): [be[ldap]] [sdap_call_op_callback] (0x20000): [RID#4] Handling LDAP operation [4][server: [<IP_Address>:<LDAP_PORT>] filter: [(&(uid=<userID>)(objectclass=<objectclassName>)(&(uidNumber=*)(!(uidNumber=0))))] base: [<baseDN>] took [4.686] milliseconds.
(2024-11-06 12:28:28): [be[ldap]] [sdap_get_generic_op_finished] (0x0400): [RID#4] Search result: Success(0), no errmsg set