Authentication for SSH users by an LDAP server
Network requirements
As shown in Figure 18, an LDAP server is located at 10.1.1.1/24 and uses domain ldap.com.
Configure the switch to meet the following requirements:
Use the LDAP server to authenticate SSH users.
Assign the default user role network-operator to SSH users after they pass authentication.
On the LDAP server, set the administrator password to admin!123456, add a user named aaa, and set the user's password to ldap!123456.
Figure 17: Network diagram
Configuration procedure
Configure the LDAP server:
# Add a user named aaa and set the password to ldap!123456.
On the LDAP server, select Start > Control Panel > Administrative Tools.
Double-click Active Directory Users and Computers.
The Active Directory Users and Computers window is displayed.
From the navigation tree, click Users under the ldap.com node.
Select Action > New > User from the menu to display the dialog box for adding a user.
Enter logon name aaa and click Next.
Figure 18: Adding user aaa
![[NOTE: ]](images/note.png) | NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. | |
In the dialog box, enter password ldap!123456, select options as needed, and click Next.
Figure 19: Setting the user's password
Click OK.
# Add user aaa to group Users.
From the navigation tree, click Users under the ldap.com node.
In the right pane, right-click user aaa and select Properties.
In the dialog box, click the Member Of tab and click Add.
Figure 20: Modifying user properties
In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.
User aaa is added to group Users.
Figure 21: Adding user aaa to group Users
# Set the administrator password to admin!123456.
In the right pane, right-click user Administrator and select Set Password.
In the dialog box, enter the administrator password. (Details not shown.)
Configure the switch:
# Configure IP addresses for interfaces. (Details not shown.)
# Create local RSA and DSA key pairs.
<Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa
# Enable the SSH service.
[Switch] ssh server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit
# Enable the default user role feature to assign authenticated SSH users the default user role network-operator.
[Switch] role default-role enable
# Configure an LDAP server.
[Switch] ldap server ldap1
# Specify the IP address of the LDAP authentication server.
[Switch-ldap-server-ldap1] ip 10.1.1.1
# Specify the administrator DN.
[Switch-ldap-server-ldap1] login-dn cn=administrator,cn=users,dc=ldap,dc=com
# Specify the administrator password.
[Switch-ldap-server-ldap1] login-password simple admin!123456
# Configure the base DN for user search.
[Switch-ldap-server-ldap1] search-base-dn dc=ldap,dc=com [Switch-ldap-server-ldap1] quit
# Create an LDAP scheme.
[Switch] ldap scheme ldap-shm1
# Specify the LDAP authentication server.
[Switch-ldap-ldap-shm1] authentication-server ldap1 [Switch-ldap-ldap-shm1] quit
# Create an ISP domain named bbb and configure authentication, authorization, and accounting methods for login users.
[Switch] domain bbb [Switch-isp-bbb] authentication login ldap-scheme ldap-shm1 [Switch-isp-bbb] authorization login none [Switch-isp-bbb] accounting login none [Switch-isp-bbb] quit
Verifying the configuration
# Initiate an SSH connection to the switch, and enter username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.)
# Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.)