Hi,
Is it possible to authenticate shell access against LDAP? I have configured so that I can log into vCenter using my LDAP credentials. I have also enabled Shell/Bash and can SSH as the root user. However I am unable to SSH as and LDAP user. I see the below in the error log:
2019-04-11T11:04:28.551610+01:00 info applmgmt-audit 2019-04-11T10:04:28.551: INFO Authentication request -- "user:"apike", action:"system.listMethods", result:"denied"
2019-04-11T11:04:28.562940+01:00 info applmgmt-audit 2019-04-11T10:04:28.562: INFO Authentication request -- "user:"apike", action:"system.listMethods", result:"denied"
2019-04-11T11:04:28.563227+01:00 info applmgmt-audit 2019-04-11T10:04:28.563: INFO AuthenticationResult = { authenticated=False, userid=False username=apike, role=GUEST, renew=True, auth_method=LOCAL }
2019-04-11T11:04:28.577576+01:00 info applmgmt-audit 2019-04-11T10:04:28.577: INFO Authentication request -- "user:"apike", action:"system.listMethods", result:"denied"
2019-04-11T11:04:28.588676+01:00 info applmgmt-audit 2019-04-11T10:04:28.588: INFO Authentication request -- "user:"apike", action:"system.listMethods", result:"denied"
2019-04-11T11:04:28.588967+01:00 info applmgmt-audit 2019-04-11T10:04:28.588: INFO AuthenticationResult = { authenticated=False, userid=False username=apike, role=GUEST, renew=True, auth_method=LOCAL }
Can you please let me know if what I'm trying to do is possible? And if so, how it can be done?
Thanks,
Andy
In your SSO Groups, add a user identity to the SystemConfiguration.BashShellAdministrators group. You should then be able to auth with that account in UPN format.
In your SSO Groups, add a user identity to the SystemConfiguration.BashShellAdministrators group. You should then be able to auth with that account in UPN format.
Hi,
Thanks for your reply. I did already have that entry in there:
I've installed the CLI tools:
And this is my configuration:
root@vcas01 [ ~ ]# sso-config.sh -get_identity_sources
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/vmware/lib64/slf4j-log4j12-1.7.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/vmware/lib64/log4j-slf4j-impl-2.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Total number of identitysources retrieved for tenant:vsphere.local : 3
(If the value is undefined against a param, then you might notice "UndefinedConfig" against it.)
********** IDENTITY SOURCE INFORMATION **********
IdentitySourceName : vsphere.local
DomainType : SYSTEM_DOMAIN
********** IDENTITY SOURCE INFORMATION **********
IdentitySourceName : localos
DomainType : LOCAL_OS_DOMAIN
********** IDENTITY SOURCE INFORMATION **********
IdentitySourceName : opsview.com
DomainType : EXTERNAL_DOMAIN
Identity Settings:
alias : OPSVIEW
authenticationType : PASSWORD
userBaseDN : dc=opsera,dc=com
groupBaseDN : ou=Group,dc=opsera,dc=com
username : cn=nss,ou=Services,dc=opsera,dc=com
providerType : IDENTITY_STORE_TYPE_LDAP
servicePrincipalName : placeholder
useMachineAccount : false
FriendlyName : OpenLDAP
SearchTimeoutInSeconds : 0
Connection Settings:
URLs:
0: ldap://ldap1.opsview.com
1: ldap://slicehost.opsview.com
Certificates:
Attributes:
http://schemas.xmlsoap.org/claims/UPN : userPrincipalName
http://rsa.com/schemas/attr-names/2009/01/GroupIdentity : memberof
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname : givenName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname : sn
http://vmware.com/schemas/attr-names/2011/07/isSolution : subjectType
Flags:
Flags=0; [Default: recursively computing nested groups, no site affinity is enabled for AD over Ldap identity providers.]
Any ideas?
Maybe it's related to OpenLDAP. For Active Directory there doesn't seem to be any issue.
Looks like you were spot on with your first answer! The issue was more related to the UPN format bit however.
The below is what actually worked:
$ ssh apike@opsview.com@vcas01.opsview.com -p22
Thanks!!