Authentication for SSH users by an LDAP server
Network requirements
As shown in Figure 15, an LDAP server is located at 10.1.1.1/24 and uses the domain name ldap.com.
Configure the switch to meet the following requirements:
Use the LDAP server to authenticate SSH users.
Assign the default user role network-operator to SSH users after they pass authentication.
On the LDAP server, set the administrator password to admin!123456, add user aaa, and set the user password to ldap!123456.
Figure 15: Network diagram
Configuration procedure
Configure the LDAP server:
NOTE:
This example assumes that the LDAP server runs Microsoft Windows 2003 Server Active Directory.
# Add a user named aaa and set the password to ldap!123456.
On the LDAP server, select Start > Control Panel > Administrative Tools.
Double-click Active Directory Users and Computers.
The Active Directory Users and Computers window is displayed.
From the navigation tree, click Users under the ldap.com node.
Select Action > New > User from the menu to display the dialog box for adding a user.
Enter the logon name aaa and click Next.
Figure 16: Adding user aaa
In the dialog box, enter the password ldap!123456, select options as needed, and click Next.
Figure 17: Setting the user password
Click OK.
# Add user aaa to group Users.
From the navigation tree, click Users under the ldap.com node.
In the right pane, right-click the user aaa and select Properties.
In the dialog box, click the Member Of tab and click Add.
Figure 18: Modifying user properties
In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.
User aaa is added to group Users.
Figure 19: Adding user aaa to group Users
# Set the administrator password to admin!123456.
In the right pane, right-click the user Administrator and select Set Password.
In the dialog box, enter the administrator password. (Details not shown.)
Configure the switch:
# Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch.
<Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit
# Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
[Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 24 [Switch-Vlan-interface3] quit
# Create local RSA and DSA key pairs.
[Switch] public-key local create rsa [Switch] public-key local create dsa
# Enable the SSH service.
[Switch] ssh server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit
# Enable the default user role feature to assign authenticated SSH users the default user role network-operator.
[Switch] role default-role enable
# Configure an LDAP server.
[Switch] ldap server ldap1
# Specify the IP address of the LDAP authentication server.
[Switch-ldap-server-ldap1] ip 10.1.1.1
# Specify the administrator DN.
[Switch-ldap-server-ldap1] login-dn cn=administrator,cn=users,dc=ldap,dc=com
# Specify the administrator password.
[Switch-ldap-server-ldap1] login-password simple admin!123456
# Configure the base DN for user search.
[Switch-ldap-server-ldap1] search-base-dn dc=ldap,dc=com [Switch-ldap-server-ldap1] quit
# Create an LDAP scheme.
[Switch] ldap scheme ldap-shm1
# Specify the LDAP authentication server.
[Switch-ldap-ldap-shm1] authentication-server ldap1 [Switch-ldap-ldap-shm1] quit
# Create ISP domain bbb and configure authentication, authorization, and accounting methods for login users.
[Switch] domain bbb [Switch-isp-bbb] authentication login ldap-scheme ldap-shm1 [Switch-isp-bbb] authorization login none [Switch-isp-bbb] accounting login none [Switch-isp-bbb] quit
Verifying the configuration
# Initiate an SSH connection to the switch, and enter the username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.)
# Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.)