Hi,

I want to try enabling LDAP to test authentication for one of my Nexus 9K switch. I referred various online document but could not find any possible answer for what I am looking for.

I have my Nexus configured as below. I see Invalid Credentials though username and password is correct. I am able to reach my LDAP server via vrf management too.. I wanted to set shell:roles="network-admin" for the user when authenticating. Please let me know what am I missing.

CANDID-SYS-S3-BGW2(config)# show running-config ldap
feature ldap

ldap-server host 172.29.132.104 rootDN "cn=Admin,cn=Users,dc=cisco,dc=com" password 7 qxz12345 timeout 60
ldap search-map cisco
userprofile attribute-name "description" search-filter "cn=$userid" base-DN "dc=cisco,dc=com"
aaa group server ldap nxLdap
server 172.29.132.104
authentication bind-first
use-vrf management
ldap-search-map cisco

CANDID-SYS-S3-BGW2(config)#

CANDID-SYS-S3-BGW2(config)# no aaa authentication login default group nxLdap
CANDID-SYS-S3-BGW2(config)#
CANDID-SYS-S3-BGW2(config)#
CANDID-SYS-S3-BGW2(config)# aaa authentication login default group nxLdap
CANDID-SYS-S3-BGW2(config)# test aaa group nxLdap sw-admin Nbv12345
user has failed authentication
CANDID-SYS-S3-BGW2(config)# 2020 Jun 16 07:41:09.545054 aaa: sg_protocol is incorrect. Retrieving it by checking group list
2020 Jun 16 07:41:09.545214 ldap: IN FUNCTION ldap_search_map.... for name cisco
2020 Jun 16 07:41:09.545279 ldap: ldap_get_vrf_applicable:(user sw-admin) group vrf :vrf management
2020 Jun 16 07:41:09.545388 ldap: ldap_get_vrf_applicable:(user sw-admin) group vrf :vrf management
2020 Jun 16 07:41:09.545406 ldap: ldap_construct_userDN_from_BaseDN: (user sw-admin)
2020 Jun 16 07:41:09.545419 ldap: ldap_construct_userDN_from_BaseDN: (user sw-admin) constructed userDN: cn=sw-admin,dc=cisco,dc=com
2020 Jun 16 07:41:09.548585 ldap: ldap_handle_rebind_rsp: (user sw-admin) - bind for user failed - error Invalid credentials
2020 Jun 16 07:41:09.548630 ldap: ldap_get_vrf_applicable:(user sw-admin) group vrf :vrf management

LDAP : 

[root@localhost ~]# cat add_sw-admin.ldiff
dn: uid=sw-admin,ou=people,dc=cisco,dc=com
cn: sw-admin
givenName: sw-admin
sn: sw-admin
uid: sw-admin
uidNumber: 10002
gidNumber: 10001
homeDirectory: /home/sw-admin
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
loginShell: /bin/bash
userPassword: {crypt}x
description: shell:roles="network-admin"

[root@localhost ~]#

[root@localhost ~]# ldapadd -x -W -D "cn=ldapadm,dc=cisco,dc=com" -f add_sw-admin.ldiff
Enter LDAP Password:
adding new entry "uid=sw-admin,ou=people,dc=cisco,dc=com"

[root@localhost ~]# ldappasswd -s Nbv12345 -W -D "cn=ldapadm,dc=cisco,dc=com" -x "uid=sw-admin,ou=people,dc=cisco,dc=com"
Enter LDAP Password:
[root@localhost ~]#

[root@localhost ~]# ldapsearch -x -W -D "cn=ldapadm,dc=cisco,dc=com" -b "uid=sw-admin,ou=People,dc=cisco,dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=sw-admin,ou=People,dc=cisco,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# sw-admin, People, cisco.com
dn: uid=sw-admin,ou=People,dc=cisco,dc=com
cn: sw-admin
givenName: sw-admin
sn: sw-admin
uid: sw-admin
uidNumber: 10002
gidNumber: 10001
homeDirectory: /home/sw-admin
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
loginShell: /bin/bash
description: shell:roles="network-admin"
userPassword:: e1NTSEF9N1dNRnNVQkJMZ0dSd1RTZU9ydGd0aVhWS2JZS3BVTGg=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@localhost ~]# cat add_sw-admin.ldiff
dn: uid=sw-admin,ou=people,dc=cisco,dc=com
cn: sw-admin
givenName: sw-admin
sn: sw-admin
uid: sw-admin
uidNumber: 10002
gidNumber: 10001
homeDirectory: /home/sw-admin
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
loginShell: /bin/bash
userPassword: {crypt}x
description: shell:roles="network-admin"

[root@localhost ~]#