Authentication for SSH users by an LDAP server

As shown in Figure 17, an LDAP server is located at 10.1.1.1/24 and uses domain ldap.com.

Configure the router to meet the following requirements:

• Use the LDAP server to authenticate SSH users.

• Assign the default user role network-operator to SSH users after they pass authentication.

On the LDAP server, set the administrator password to admin!123456, add a user named aaa, and set the user's password to ldap!123456.

1. Configure the LDAP server:

   	NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory.

   # Add a user named aaa and set the password to ldap!123456.

   1. On the LDAP server, select Start > Control Panel > Administrative Tools.

   2. Double-click Active Directory Users and Computers.

      The Active Directory Users and Computers window is displayed.

   3. From the navigation tree, click Users under the ldap.com node.

   4. Select Action > New > User from the menu to display the dialog box for adding a user.

   5. Enter logon name aaa and click Next.

      Figure 17: Adding user aaa

1. In the dialog box, enter password ldap!123456, select options as needed, and click Next.

   Figure 18: Setting the user's password

1. Click OK.

# Add user aaa to group Users.

1. From the navigation tree, click Users under the ldap.com node.

2. In the right pane, right-click user aaa and select Properties.

3. In the dialog box, click the Member Of tab and click Add.

   Figure 19: Modifying user properties

1. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.

   User aaa is added to group Users.

   Figure 20: Adding user aaa to group Users

# Set the administrator password to admin!123456.

1. In the right pane, right-click user Administrator and select Set Password.

2. In the dialog box, enter the administrator password. (Details not shown.)

1. Configure the router:

   # Configure the IP address of interface GigabitEthernet 1/0/1, through which the SSH user accesses the router.

   <Router> system-view
   [Router] interface gigabitethernet 1/0/1
   [Router-GigabitEthernet1/0/1] ip address 192.168.1.20 24
   [Router-GigabitEthernet1/0/1] quit
   

   # Configure the IP address of interface GigabitEthernet 1/0/2, through which the router communicates with the server.

   [Router] interface gigabitethernet 1/0/2
   [Router-GigabitEthernet1/0/2] ip address 10.1.1.2 255.255.255.0
   [Router-GigabitEthernet1/0/2] quit
   

   # Create the local DSA key pair and RSA key pairs.

   [Router] public-key local create dsa
   [Router] public-key local create rsa
   

   # Enable the SSH service.

   [Router] ssh server enable
   

   # Enable scheme authentication for user lines VTY 0 through VTY 63.

   [Router] line vty 0 63
   [Router-line-vty0-63] authentication-mode scheme
   [Router-line-vty0-63] quit
   

   # Enable the default user role feature to assign authenticated SSH users the default user role network-operator.

   [Router] role default-role enable
   

   # Configure an LDAP server.

   [Router] ldap server ldap1
   

   # Specify the IP address of the LDAP authentication server.

   [Router-ldap-server-ldap1] ip 10.1.1.1
   

   # Specify the administrator DN.

   [Router-ldap-server-ldap1] login-dn cn=administrator,cn=users,dc=ldap,dc=com
   

   # Specify the administrator password.

   [Router-ldap-server-ldap1] login-password simple admin!123456
   

   # Configure the base DN for user search.

   [Router-ldap-server-ldap1] search-base-dn dc=ldap,dc=com
   [Router-ldap-server-ldap1] quit
   

   # Create an LDAP scheme.

   [Router] ldap scheme ldap1-shml
   

   # Specify the LDAP authentication server.

   [Router-ldap-ldap-shml] authentication-server ldap1
   [Router-ldap-ldap1-shml] quit
   

   # Create an ISP domain named bbb and configure the authentication, authorization, and accounting methods for login users.

   [Router] domain bbb
   [Router-isp-bbb] authentication login ldap-scheme ldap1-shml
   [Router-isp-bbb] authorization login none
   [Router-isp-bbb] accounting login none
   [Router-isp-bbb] quit
   

# Initiate an SSH connection to the router, and enter username aaa@bbb and password ldap!123456. The user logs in to the router. (Details not shown.)

# Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.)