Cisco NX-OS 9K - LDAP配置
Cisco NX-OS 9K - LDAP配置
提问于 2020-01-29 20:06:53
在我们的CISCO上通过ssh连接时,我在配置LDAP身份验证(通过Windows )时遇到了一些问题。我从开关上换了一些信息,你会在这里看到大写的。
目前我们只有一个共享用户,目标是让用户用自己的AD帐户和密码登录。
我已经验证了使用telnet与端口389上的IP连接到AD域控制器的连接。
下面是我查看正在运行的配置时的相关信息(aaa、ldap、user):
username admin password 5 PASSWORD role network-admin
feature ldap
ldap-server host NAMEOFSERVER rootDN "cn=USERACCT,DC=EXAMPLE,DC=COM" password
7 PASSWORD timeout 60
aaa group server ldap GROUPNAME
server NAMEOFSERVER
no ldap-search-map
aaa authentication login default group GROUPNAME
aaa authentication login console local
aaa authorization ssh-publickey default group GROUPNAME
aaa accounting default group GROUPNAME以下是一些额外的信息:
version 7.0(3)I6(1)
与我一起登录的用户在一个不同的ou中,但是这个rootDN用户应该看到所有的帐户。这种设置对其他非思科设备很好。
显示aaa授权所有pki-ssh-cert:本地pki-ssh-pubkey: group GROUPNAME AAA命令授权:配置命令的默认授权:命令的本地默认授权:本地控制台配置授权-命令:本地控制台命令授权:本地控制台命令授权
以下是一些调试信息:
2020 Jan 29 14:14:25.830685 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830697 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830708 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830718 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830728 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830743 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830757 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830770 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830784 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830797 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830810 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830820 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830831 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830844 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830857 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830870 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830884 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830897 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830910 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830924 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830937 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830950 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830967 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830980 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830993 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.831009 ldap: mts_ldap_aaa_request_handler: entering for aaa session id 0
2020 Jan 29 14:14:25.831029 ldap: mts_ldap_aaa_request_handler: user :MYACCOUNT@EXAMPLE.COM:, user_len 30, user_data_len 13
2020 Jan 29 14:14:25.831043 ldap: ldap_authenticate: user MYACCOUNT@EXAMPLE.COM servergroup GROUPNAME
2020 Jan 29 14:14:25.831059 ldap: ldap_global_config: entering ...
2020 Jan 29 14:14:25.831103 ldap: ldap_global_config: GET_REQ...
2020 Jan 29 14:14:25.831115 ldap: ldap_global_config: got back the return value of global configuration operation: SUCCESS
2020 Jan 29 14:14:25.831124 ldap: ldap_global_config: REQ - num server 1 num group 2 timeout 5 deadtime 0
2020 Jan 29 14:14:25.831134 ldap: ldap_global_config: returning retval 0
2020 Jan 29 14:14:25.831143 ldap: ldap_servergroup_config: GET_REQ for LDAP servergroup index 0 name GROUPNAME
2020 Jan 29 14:14:25.831162 ldap: ldap_pss_move2key: rcode = 0 syserr2str = SUCCESS
2020 Jan 29 14:14:25.831183 ldap: ldap_servergroup_config: GET_REQ got protocol server group index 2 name GROUPNAME
2020 Jan 29 14:14:25.831193 ldap: ldap_servergroup_config: returning retval 0 for server group GROUPNAME
2020 Jan 29 14:14:25.831205 ldap: IN FUNCTION ldap_search_map.... for name
2020 Jan 29 14:14:25.831214 ldap: ldap_search_map: entering for search_map , index 0
2020 Jan 29 14:14:25.831222 ldap: ldap_search_map: key size 532, value size 2200
2020 Jan 29 14:14:25.831230 ldap: ldap_search_map: GET_REQ: search_index: 0, search_map:
2020 Jan 29 14:14:25.831237 ldap: find_search_map: entering for search map
2020 Jan 29 14:14:25.831258 ldap: ldap_pss_move2key: rcode = 40480003 syserr2str = no such pss key
2020 Jan 29 14:14:25.831269 ldap: ldap_pss_move2key: calling pss2_getkey
2020 Jan 29 14:14:25.831276 ldap: find_search_map: search map not in PSS
2020 Jan 29 14:14:25.831284 ldap: ldap_search_map: no search map with Protocol search map:
2020 Jan 29 14:14:25.831294 ldap: ldap_search_map: got back the return value of Protocol server operation: can not find the LDAP server, desc: can not find the LDAP server
2020 Jan 29 14:14:25.831307 ldap: ldap_authenticate: ldap_read_config failed for server group GROUPNAME
2020 Jan 29 14:14:25.831320 ldap: ldap_send_response_to_aaa: entering for user MYACCOUNT@EXAMPLE.COM auth_result 7
2020 Jan 29 14:14:25.831349 ldap: ldap_send_response_to_aaa: (user MYACCOUNT@EXAMPLE.COM) - mts_send_response success
2020 Jan 29 14:14:27 NAMEOFSWITCH %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from IPOFSWITCH - dcos_sshd[6734]它接受以下命令:
aaa authorization ssh-publickey default group GROUPNAME但每当我想做的时候:
aaa authorization commands default group GROUPNAME
Command failed to apply我确信我只是对角色不太了解,我在文档中遗漏了一些东西,或者我不知道Cisco默认寻找角色访问的哪个属性。我将尝试一个不同的rootDN用户,它的密码中没有逗号。
所用资源:
回答 1
Network Engineering用户
回答已采纳
发布于 2020-07-01 06:25:02
aaa authorization commands default group GROUPNAME只适用于基于tacacs的组,而不适用于ldap。对于ldap身份验证,初始的rootDN配置将有助于根绑定。但是对于ldap搜索,需要配置带有适当过滤器和baseDN的搜索映射,以便从ldap目录中提取特定的用户信息。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/64854
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号