Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2598
Views
0
Helpful
3
Replies

LDAP Authentication

User_4444_2
Level 1
Level 1

‎06-29-2012 06:15 AM

I'm trying to setup LDAP Authentication for our MDS 9509's running 5.2(2) without success, I followed the "Sec Version 5" document. When I try to login and run "Debug ldap all" (on another session) to capture what is happening I get success for most of the steps except for "ldap_pss_move2key" with the error "no such pss key". I did setup a Private key before the step "aaa authorization ssh-publickey default group" as the documentation didn't mention to create one but surely it won't work without a public key.

Another thing, how does the role mapping work? Does everybody who login get default rights?

Thanks

Labels:
0 Helpful
3 Replies 3

mroney211
Level 1
Level 1

‎10-04-2012 10:35 AM

I saw your thread and I too am looking to setup LDAP authentication for some MDS 9509 directors.

I did get LDAP Authentication to work without having to set "aaa authhorization ssh-publickey default group".

I applied (sAMAccountName=cn) as a filter to our user baseDN for the cn attribute as a userprofile filter.  That seemed to be the trick for getting LDAP authentication to work.

I used a bind DN/password with non-ssl (port 389) and specified the password as plain text (non-encrypted).

When I login via LDAP, I only have limited access due to the default role.  I have been looking for a way to specify the roles a user is assigned in the LDAP, but I don't understand how to set this up.

Once I get the roles assigned, I plan to change to SSL... but without figuring out how to assign users to a role, there's no point in adding that complexity yet.

0 Helpful

User_4444_2
Level 1
Level 1
In response to mroney211

‎10-05-2012 06:29 AM

I gave up on LDAP and went for Radius instead and had fun with that, I had to open a call with Cisco around password changing (see my other thread).

Good luck with the LDAP authentication, let us know how it goes?

0 Helpful

Michael Brown
Cisco Employee
Cisco Employee
In response to mroney211

‎11-21-2012 10:35 AM

I tested in my lab and am trying to get SSL working for LDAP.  I was albe to pass the role back as part of the login process.  In my example, I used the LDPA field called 'departement' and in that field on the AD server for the authenticating account, I put the text in as 'network-admin' (minus the quotes)

This is my search map config.

ldap search-map s0

  userprofile attribute-name "department" search-filter "(&(objectclass=person)(cn=$userid))" base-DN "cn=users,dc=tsi-mike,dc=cisco,dc=com"

You can use any text field in the user profile to key in the roles attribute and then use that field name in the search map.

Hope this helps,

Mike

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card