Solved: NSO - LDAP authentication fallback mechanism

jiyebae · ‎02-12-2018

Hi,

Does NSO have the fallback mechanism to the local user in the event of the LDAP server is not reachable? and what about the local user is locked/unusable but the LDAP is reachable?

Jan Lindblad · ‎02-12-2018

NSO is following the sequence of aaa sources you have setup. As soon as any source returns accept or deny, the search stops and the user is accepted or denied. If there is no match at a given source, the search goes on with the next method until there are no more sources. Then the user is denied. But as I said, there's a mechanism to still allow access to users that can log in to the operating system level, as a last resort.

View solution in original post

Jan Lindblad · ‎02-12-2018

Yes, you can set up NSO to use a sequence of user lookups. It is for example common to have NSO first do a local database check, to allow login with emergency user credentials. If no match there, NSO might proceed to PAM or external auth, which in turn might be configured to do LDAP and/or TACACS, etc lookups. For even more severe cases, users that have access to the underlaying operating system where NSO runs can start an NSO shell without access control restrictions to sort things out.

jiyebae · ‎02-12-2018

Thanks Jan. The fall-back mechanism for both scenario which I mentioned earlier is checking the local database again or just abort access?

Jan Lindblad · ‎02-12-2018

NSO is following the sequence of aaa sources you have setup. As soon as any source returns accept or deny, the search stops and the user is accepted or denied. If there is no match at a given source, the search goes on with the next method until there are no more sources. Then the user is denied. But as I said, there's a mechanism to still allow access to users that can log in to the operating system level, as a last resort.