SSH access to the Gateway LDAP authentication/Authorization
search cancel

SSH access to the Gateway LDAP authentication/Authorization

book

Article ID: 381920

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Environment

Gateway 11.x

Cause

The SSSD works with Active Directory out of the box, if you are using different LDAP (i.e. OpenLDAP) need additional configuration of the /etc/ssd.conf to find/authenticate/authorization for different customer attributes 

Resolution

How to config/find and authenticate/authorizes users for SSH Access. There are two approaches: group access or attribute based access

Groups based authorization - Group defined in the LDAP where user who can SSH to gateway are added  

See KB 275559

Attribute based authorization - Determine the attribute and value to be used to allow users who can SSH to the gateway 

Example tested user attribute employeeNumber with value 4000 

This allows users to SSH who enter a valid ID/Password and have attribute employeeNumber set to 4000

Configured in SSGCONFIG Menu 

(Optional) Enter the user search filter. Example: dc=l7tech,dc=com?subtree?(gidNumber=4000) [dc=l7tech,dc=com?subtree?(employeeNumber=4000)]:

Need to also manually add the following entries to the domain/ldap section of /etc/sssd/ssd.conf, then restart sssd 

ldap_user_uid_number = employeeNumber

auto_private_groups = True

debug_level = 9

Sample sssd.conf

#Domain Section and Server Details

[domain/ldap]

id_provider = ldap

ldap_uri =  ldap://<LDAP_DNS_NAME>:<LDAP_Port>

ldap_default_bind_dn = cn=Manager,<baseDN>

ldap_default_authtok = <password>

ldap_user_name = uid

ldap_user_object_class = inetOrgPerson

ldap_tls_reqcert = allow

ldap_search_base = <search base>

ldap_user_search_base = <user_search_base>?subtree?(employeeNumber=4000)

cache_credentials = True

default_shell = /bin/bash

use_fully_qualified_names = False

override_homedir = /home/%u

access_provider = simple

simple_allow_groups = RootUser,NonRootUser

dyndns_update = false

 

ldap_user_uid_number = employeeNumber

auto_private_groups = True

debug_level = 9

Additional Information

Added debug_level = 9 to the [domain/ldap] section of the /etc/sssd.conf file and restarted sssd for additional debug information 

/var/log/sssd/sssd_ldap.log shows failed search for user 

(2024-11-06 12:28:28): [be[ldap]] [sdap_call_op_callback] (0x20000): [RID#4] Handling LDAP operation [4][server: [<IP_Address>:<LDAP_PORT>] filter: [(&(uid=<userID>)(objectclass=<objectclassName>)(&(uidNumber=*)(!(uidNumber=0))))] base: [<baseDN>] took [4.686] milliseconds.

(2024-11-06 12:28:28): [be[ldap]] [sdap_get_generic_op_finished] (0x0400): [RID#4] Search result: Success(0), no errmsg set