Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1218
Views
0
Helpful
4
Replies

LDAP Authorization NX-OS & Catalyst

Rem Markov
Level 1
Level 1

‎10-01-2023 03:12 AM

So! Hey there!

I'm trying to set ldap in our environment to all our switches instead of TACACAS.

 

When trying to set ldap search map like that:

ldap search-map cisco  userprofile attribute-name "description" search-filter "(cn=$userid)" base-DN "OU=CiscoUCS,DC=ccierants,DC=com"

I'm able only to set it for users, meaning if I have a group lets say: network-pros
And I want to all of the members of this group to have network-admin permissions I'm unable, I need to go user by user and add :
shell:roles=network-admins in some random attribute. 

Why does the Authorization is like that? Why can't I set a group authorization and only user authoriation

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎10-01-2023 03:36 AM

There are some limitation we should accept before we using - personally i wont not use directly using LDAP (this is expose lot of information when you configuring the switch) 

instead i use NPS (if you love MS products)

refer Limitation and command syntax :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_0110.html#...

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rem Markov
Level 1
Level 1
In response to balaji.bandi

‎10-01-2023 03:49 AM

The Docs for LDAP are the worst.  But is there a way to use LDAP on ios? Is there a way to make authorization based on Group?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Rem Markov

‎10-01-2023 08:06 AM

As i mentioned there are some Limitation you should understand that.

authorization is possible, but its limited (you can not get as TACACS does the things for you)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

M02@rt37
VIP
VIP

‎10-01-2023 04:04 AM

In your case, when setting authorization for a group, you may need to loop through the users in that group and apply the necessary authorization settings. This is because LDAP, by default, doesn't provide direct mechanisms to set authorization for groups in the same way you can set it for individual users.

If you want a more group-centric approach to authorization, you may need to look into LDAP integration tools or middleware that can extend LDAP's capabilities to allow for more granular group-based authorization.

Some Identity and Access Management (IAM) solutions can provide additional features to achieve this.

Organizations use both NPS for network access control and an IAM solution to manage identities and access across a wider array of systems and applications, creating a comprehensive security framework.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents