06-16-2020 12:55 AM
Hi,
I want to try enabling LDAP to test authentication for one of my Nexus 9K switch. I referred various online document but could not find any possible answer for what I am looking for.
I have my Nexus configured as below. I see Invalid Credentials though username and password is correct. I am able to reach my LDAP server via vrf management too.. I wanted to set shell:roles="network-admin" for the user when authenticating. Please let me know what am I missing.
CANDID-SYS-S3-BGW2(config)# show running-config ldap
feature ldap
ldap-server host 172.29.132.104 rootDN "cn=Admin,cn=Users,dc=cisco,dc=com" password 7 qxz12345 timeout 60
ldap search-map cisco
userprofile attribute-name "description" search-filter "cn=$userid" base-DN "dc=cisco,dc=com"
aaa group server ldap nxLdap
server 172.29.132.104
authentication bind-first
use-vrf management
ldap-search-map cisco
CANDID-SYS-S3-BGW2(config)#
CANDID-SYS-S3-BGW2(config)# no aaa authentication login default group nxLdap
CANDID-SYS-S3-BGW2(config)#
CANDID-SYS-S3-BGW2(config)#
CANDID-SYS-S3-BGW2(config)# aaa authentication login default group nxLdap
CANDID-SYS-S3-BGW2(config)# test aaa group nxLdap sw-admin Nbv12345
user has failed authentication
CANDID-SYS-S3-BGW2(config)# 2020 Jun 16 07:41:09.545054 aaa: sg_protocol is incorrect. Retrieving it by checking group list
2020 Jun 16 07:41:09.545214 ldap: IN FUNCTION ldap_search_map.... for name cisco
2020 Jun 16 07:41:09.545279 ldap: ldap_get_vrf_applicable:(user sw-admin) group vrf :vrf management
2020 Jun 16 07:41:09.545388 ldap: ldap_get_vrf_applicable:(user sw-admin) group vrf :vrf management
2020 Jun 16 07:41:09.545406 ldap: ldap_construct_userDN_from_BaseDN: (user sw-admin)
2020 Jun 16 07:41:09.545419 ldap: ldap_construct_userDN_from_BaseDN: (user sw-admin) constructed userDN: cn=sw-admin,dc=cisco,dc=com
2020 Jun 16 07:41:09.548585 ldap: ldap_handle_rebind_rsp: (user sw-admin) - bind for user failed - error Invalid credentials
2020 Jun 16 07:41:09.548630 ldap: ldap_get_vrf_applicable:(user sw-admin) group vrf :vrf management
LDAP :
[root@localhost ~]# cat add_sw-admin.ldiff
dn: uid=sw-admin,ou=people,dc=cisco,dc=com
cn: sw-admin
givenName: sw-admin
sn: sw-admin
uid: sw-admin
uidNumber: 10002
gidNumber: 10001
homeDirectory: /home/sw-admin
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
loginShell: /bin/bash
userPassword: {crypt}x
description: shell:roles="network-admin"
[root@localhost ~]#
[root@localhost ~]# ldapadd -x -W -D "cn=ldapadm,dc=cisco,dc=com" -f add_sw-admin.ldiff
Enter LDAP Password:
adding new entry "uid=sw-admin,ou=people,dc=cisco,dc=com"
[root@localhost ~]# ldappasswd -s Nbv12345 -W -D "cn=ldapadm,dc=cisco,dc=com" -x "uid=sw-admin,ou=people,dc=cisco,dc=com"
Enter LDAP Password:
[root@localhost ~]#
[root@localhost ~]# ldapsearch -x -W -D "cn=ldapadm,dc=cisco,dc=com" -b "uid=sw-admin,ou=People,dc=cisco,dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=sw-admin,ou=People,dc=cisco,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# sw-admin, People, cisco.com
dn: uid=sw-admin,ou=People,dc=cisco,dc=com
cn: sw-admin
givenName: sw-admin
sn: sw-admin
uid: sw-admin
uidNumber: 10002
gidNumber: 10001
homeDirectory: /home/sw-admin
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
loginShell: /bin/bash
description: shell:roles="network-admin"
userPassword:: e1NTSEF9N1dNRnNVQkJMZ0dSd1RTZU9ydGd0aVhWS2JZS3BVTGg=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@localhost ~]# cat add_sw-admin.ldiff
dn: uid=sw-admin,ou=people,dc=cisco,dc=com
cn: sw-admin
givenName: sw-admin
sn: sw-admin
uid: sw-admin
uidNumber: 10002
gidNumber: 10001
homeDirectory: /home/sw-admin
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
loginShell: /bin/bash
userPassword: {crypt}x
description: shell:roles="network-admin"
[root@localhost ~]#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide