Example: Configuring authentication for SSH users by an LDAP server

Network configuration

As shown in Figure 16, the LDAP server uses domain ldap.com and runs Microsoft Windows 2003 Server Active Directory.

Configure the switch to meet the following requirements:

On the LDAP server, set the administrator password to admin!123456, add a user named aaa, and set the user's password to ldap!123456.

Figure 16: Network diagram

Configuring the LDAP server

  1. Add a user named aaa and set the password to ldap!123456:

    1. On the LDAP server, select Start > Control Panel > Administrative Tools.

    2. Double-click Active Directory Users and Computers.

      The Active Directory Users and Computers window is displayed.

    3. From the navigation tree, click Users under the ldap.com node.

    4. Select Action > New > User from the menu to display the dialog box for adding a user.

    5. Enter logon name aaa and click Next.

      Figure 17: Adding user aaa

    6. In the dialog box, enter password ldap!123456, select options as needed, and click Next.

      Figure 18: Setting the user's password

    7. Click OK.

  2. Add user aaa to group Users:

    1. From the navigation tree, click Users under the ldap.com node.

    2. In the right pane, right-click user aaa and select Properties.

    3. In the dialog box, click the Member Of tab and click Add.

      Figure 19: Modifying user properties

    4. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.

      User aaa is added to group Users.

      Figure 20: Adding user aaa to group Users

  3. Set the administrator password:

    1. In the right pane, right-click user Administrator and select Set Password.

    2. In the dialog box, enter the administrator password. (Details not shown.)

Configuring the switch

# Configure IP addresses for interfaces. (Details not shown.)

# Create local RSA and DSA key pairs.

<Switch> system-view
[Switch] public-key local create rsa
[Switch] public-key local create dsa

# Enable the SSH service.

[Switch] ssh server enable

# Enable scheme authentication for user lines VTY 0 through VTY 63.

[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit

# Configure an LDAP server.

[Switch] ldap server ldap1

# Specify the IP address of the LDAP authentication server.

[Switch-ldap-server-ldap1] ip 10.1.1.1

# Specify the administrator DN.

[Switch-ldap-server-ldap1] login-dn cn=administrator,cn=users,dc=ldap,dc=com

# Specify the administrator password.

[Switch-ldap-server-ldap1] login-password simple admin!123456

# Configure the base DN for user search.

[Switch-ldap-server-ldap1] search-base-dn dc=ldap,dc=com
[Switch-ldap-server-ldap1] quit

# Create an LDAP scheme.

[Switch] ldap scheme ldap-shm1

# Specify the LDAP authentication server.

[Switch-ldap-ldap-shm1] authentication-server ldap1
[Switch-ldap-ldap-shm1] quit

# Create an ISP domain named bbb and configure authentication, authorization, and accounting methods for login users.

[Switch] domain bbb
[Switch-isp-bbb] authentication login ldap-scheme ldap-shm1
[Switch-isp-bbb] authorization login none
[Switch-isp-bbb] accounting login none
[Switch-isp-bbb] quit

Verifying the configuration

# Initiate an SSH connection to the switch, and enter username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.)

# Verify that the user can use the commands permitted by the level-0 user role. (Details not shown.)