Implemented Option 4 - Configure Authentication Method (SSH to Gateway with LDAP Users Support)
Error Access Denied during SSH
OpenLDAP using InterOrgPerson standard schema
Gateway 11.x
The SSSD works with Active Directory out of the box, if you are using different LDAP (i.e. OpenLDAP) need additional configuration of the /etc/ssd.conf to find/authenticate/authorization for different custom attributes
ALSO need to verify user object has the groups listed for attribute memberOf
How to config:
Step1: Need to find the user for authenticate/authorize. There are two approaches: group access or attribute based access. This KB is specific for group access
/etc/sssd.conf parameter ldap_user_search_base is used to find the user and membership of group
How to find the user and include the memberOf for the group to allow access. Need to modify /etc/sssd.conf change the search to include memberOf
example:
ldap_user_search_base = <user_search_base>?subtree?(memberOf=APIM_AccessGRP)
Sample user object with memberOf populated:
objectClass: top, person, organizationalPerson, inetOrgPerson
UID: <user16>
EmployeeNumber: 6116
memberOf: cn=<APIM_GroupGRP>,<groups_baseDN>
GROUP object: APIM_AccessGRP
objectClass: top, groupOfUniqueNames
CommonName: <APIM_GroupGRP>
Members: uid=user16,<user_baseDN>
dn: cn=<APIM_GroupGRP>,<groups_baseDN>
Step2: sssd.conf the parameter ldap_user_uid_number MUST be attribute that equals a unique numeric value got the user needing access, similar requirement as User ID (UID) and Group ID (GID) it is used to create home folder and map account
example use attribute EmployeeNumber
ldap_user_uid_number = EmployeeNumber
OR recommend unused attribute provided by LDAP Admin then set to a value i.e. 1010