VMware Cloud Community
crazzyfool
Contributor
Contributor
‎04-11-2019 03:46 AM
Jump to solution

OpenLDAP Bash Authentication

Hi,

Is it possible to authenticate shell access against LDAP?  I have configured so that I can log into vCenter using my LDAP credentials.  I have also enabled Shell/Bash and can SSH as the root user.  However I am unable to SSH as and LDAP user.  I see the below in the error log:

2019-04-11T11:04:28.551610+01:00 info applmgmt-audit  2019-04-11T10:04:28.551: INFO Authentication request -- "user:"apike", action:"system.listMethods", result:"denied"
2019-04-11T11:04:28.562940+01:00 info applmgmt-audit  2019-04-11T10:04:28.562: INFO Authentication request -- "user:"apike", action:"system.listMethods", result:"denied"
2019-04-11T11:04:28.563227+01:00 info applmgmt-audit  2019-04-11T10:04:28.563: INFO AuthenticationResult = { authenticated=False,  userid=False username=apike, role=GUEST, renew=True, auth_method=LOCAL }
2019-04-11T11:04:28.577576+01:00 info applmgmt-audit  2019-04-11T10:04:28.577: INFO Authentication request -- "user:"apike", action:"system.listMethods", result:"denied"
2019-04-11T11:04:28.588676+01:00 info applmgmt-audit  2019-04-11T10:04:28.588: INFO Authentication request -- "user:"apike", action:"system.listMethods", result:"denied"
2019-04-11T11:04:28.588967+01:00 info applmgmt-audit  2019-04-11T10:04:28.588: INFO AuthenticationResult = { authenticated=False,  userid=False username=apike, role=GUEST, renew=True, auth_method=LOCAL }

Can you please let me know if what I'm trying to do is possible?  And if so, how it can be done?

Thanks,

Andy

0 Kudos
1 Solution

Accepted Solutions
daphnissov
Immortal
Immortal
‎04-11-2019 05:40 AM
Jump to solution

In your SSO Groups, add a user identity to the SystemConfiguration.BashShellAdministrators group. You should then be able to auth with that account in UPN format.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

View solution in original post

0 Kudos
4 Replies
daphnissov
Immortal
Immortal
‎04-11-2019 05:40 AM
Jump to solution

In your SSO Groups, add a user identity to the SystemConfiguration.BashShellAdministrators group. You should then be able to auth with that account in UPN format.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
crazzyfool
Contributor
Contributor
‎04-11-2019 06:10 AM
Jump to solution

Hi,

Thanks for your reply.  I did already have that entry in there:

Selection_045.png

I've installed the CLI tools:

VMware Knowledge Base

And this is my configuration:

root@vcas01 [ ~ ]# sso-config.sh -get_identity_sources
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/vmware/lib64/slf4j-log4j12-1.7.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/vmware/lib64/log4j-slf4j-impl-2.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Total number of identitysources retrieved for tenant:vsphere.local : 3
(If the value is undefined against a param, then you might notice "UndefinedConfig" against it.)
********** IDENTITY SOURCE INFORMATION **********
IdentitySourceName        :  vsphere.local
DomainType                :  SYSTEM_DOMAIN
********** IDENTITY SOURCE INFORMATION **********
IdentitySourceName        :  localos
DomainType                :  LOCAL_OS_DOMAIN
********** IDENTITY SOURCE INFORMATION **********
IdentitySourceName        :  opsview.com
DomainType                :  EXTERNAL_DOMAIN
Identity Settings:
  alias                   :  OPSVIEW
  authenticationType      :  PASSWORD
  userBaseDN              :  dc=opsera,dc=com
  groupBaseDN             :  ou=Group,dc=opsera,dc=com
  username                :  cn=nss,ou=Services,dc=opsera,dc=com
  providerType            :  IDENTITY_STORE_TYPE_LDAP
  servicePrincipalName    :  placeholder
  useMachineAccount       :  false
  FriendlyName            :  OpenLDAP
  SearchTimeoutInSeconds  :  0
Connection Settings:
URLs:
    0:  ldap://ldap1.opsview.com
    1:  ldap://slicehost.opsview.com
Certificates:
Attributes:
  http://schemas.xmlsoap.org/claims/UPN                           :  userPrincipalName
  http://rsa.com/schemas/attr-names/2009/01/GroupIdentity         :  memberof
  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname :  givenName
  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname   :  sn
  http://vmware.com/schemas/attr-names/2011/07/isSolution         :  subjectType
Flags:
  Flags=0; [Default: recursively computing nested groups, no site affinity is enabled for AD over Ldap identity providers.]

Any ideas?

0 Kudos
daphnissov
Immortal
Immortal
‎04-11-2019 06:16 AM
Jump to solution

Maybe it's related to OpenLDAP. For Active Directory there doesn't seem to be any issue.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
crazzyfool
Contributor
Contributor
‎04-11-2019 06:29 AM
Jump to solution

Looks like you were spot on with your first answer!  The issue was more related to the UPN format bit however.

The below is what actually worked:

$ ssh apike@opsview.com@vcas01.opsview.com -p22

Thanks!!

Smiley Happy

0 Kudos