02-12-2018 06:05 AM - edited 03-01-2019 04:05 AM
Hi,
Does NSO have the fallback mechanism to the local user in the event of the LDAP server is not reachable? and what about the local user is locked/unusable but the LDAP is reachable?
Solved! Go to Solution.
02-12-2018 07:07 AM
NSO is following the sequence of aaa sources you have setup. As soon as any source returns accept or deny, the search stops and the user is accepted or denied. If there is no match at a given source, the search goes on with the next method until there are no more sources. Then the user is denied. But as I said, there's a mechanism to still allow access to users that can log in to the operating system level, as a last resort.
02-12-2018 06:42 AM
Yes, you can set up NSO to use a sequence of user lookups. It is for example common to have NSO first do a local database check, to allow login with emergency user credentials. If no match there, NSO might proceed to PAM or external auth, which in turn might be configured to do LDAP and/or TACACS, etc lookups. For even more severe cases, users that have access to the underlaying operating system where NSO runs can start an NSO shell without access control restrictions to sort things out.
02-12-2018 06:57 AM
Thanks Jan. The fall-back mechanism for both scenario which I mentioned earlier is checking the local database again or just abort access?
02-12-2018 07:07 AM
NSO is following the sequence of aaa sources you have setup. As soon as any source returns accept or deny, the search stops and the user is accepted or denied. If there is no match at a given source, the search goes on with the next method until there are no more sources. Then the user is denied. But as I said, there's a mechanism to still allow access to users that can log in to the operating system level, as a last resort.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide