API Gateway: LDAP Authentication Fails when Filtering on Non-Primary GID
search cancel

API Gateway: LDAP Authentication Fails when Filtering on Non-Primary GID

book

Article ID: 42869

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Introduction

LDAP authentication can fail when filtering on a non-primary GID. The user and group information is still provided by the LDAP server.

Workaround

  1. Precondition: in a LDAP repository, ssgconfig_ldap group's attribute "memberUid" value must be the full DN. For example: "uid=testuser2,ou=posixAccounts,dc=l7tech,dc=com"
  2. Insert the following lines to /etc/pam_ldap.conf. 
    pam_groupdn [full DN of the target group]pam_member_attribute memberUid
  3. Update the file /etc/pam_ldap.conf to comment the pam_filter line like so: #pam_filter gidNumber=4000
  4. Update the file /etc/pam.d/sshd, insert the following line after "account required pam_nologin.so": account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
  5. Update file /etc/pam.d/login, insert following line after "account required pam_nologin.so": account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
This configuration will cover following scenarios:
  • ssgconfig_ldap group gidNumber=4000
  • testuser1 is part of ssgconfig_ldap group, and testuser1 gidNumber=4000 ==> will be able to login
  • testuser2 is part of ssgconfig_ldap group, and testuser1 gidNumber=3000 ==> will be able to login
  • testuser3 is not part of ssgconfig_ldap group, and testuser3 gidNumber=4000 ==> will not be able to login
  • testuser4 is not part of ssgconfig_ldap group, and testuser4 gidNumber=3000 ==> will not be able to login
The above workaround is for logging in with group filter, we need to run the following statements to grant login users sudo privileges.
  1. Create a local group, ssgconfig_ldap_local, by typing "groupadd -f ssgconfig_ldap_local" . Please use the exact same group name, "ssgconfig_ldap_local", since we will put this workaround to the next release.
  2. Insert the following block to /etc/sudoers 
    %ssgconfig_ldap_local ALL = NOPASSWD: /sbin/reboot %ssgconfig_ldap_local ALL = (layer7) NOPASSWD: /opt/SecureSpan/Appliance/config/systemconfig.sh %ssgconfig_ldap_local ALL = (layer7) NOPASSWD: /opt/SecureSpan/Appliance/config/scahsmconfig.sh %ssgconfig_ldap_local ALL = (layer7,root) NOPASSWD: /opt/SecureSpan/Appliance/libexec/masterkey-manage.pl %ssgconfig_ldap_local ALL = (layer7) NOPASSWD: /opt/SecureSpan/Appliance/libexec/ncipherconfig.pl %ssgconfig_ldap_local ALL = (layer7) NOPASSWD: /opt/SecureSpan/Appliance/libexec/ssgconfig_launch %ssgconfig_ldap_local ALL = (layer7) NOPASSWD: /opt/SecureSpan/EnterpriseManager/config/emconfig.sh %ssgconfig_ldap_local ALL = (layer7) NOPASSWD: /opt/SecureSpan/Appliance/libexec/patchcli_launch %ssgconfig_ldap_local ALL = NOPASSWD: /sbin/chkconfig ssem on, /sbin/chkconfig ssem off %ssgconfig_ldap_local ALL = NOPASSWD: /sbin/service ssem start, /sbin/service ssem stop, /sbin/service ssem status %ssgconfig_ldap_local ALL = NOPASSWD: /opt/SecureSpan/Appliance/libexec/viewlog %ssgconfig_ldap_local ALL = NOPASSWD: /bin/cat
  3. Get the group ID of ssgconfig_ldap_local by typing the following command: cut -d':' -f1,3 /etc/group | grep "^ssgconfig_ldap_local.*"
  4. Insert the following mapping to /etc/nslcd.conf: map passwd gidNumber "[group id from step 3]"
  5. Restart nslcd with the following command: service nslcd restart

IMPORTANT: The changes to Linux configuration files will be overwritten if you use Foundation Services to update authentication configuration.

Environment

Release:
Component: APIGTW
Powered by Wolken Software