I’m new to NCS and ConfD. Please help me to understand how to setup authentication server e.g. LDAP server for NCS instead of default user credentials.
In NCS dev guide it’s mentioned that “All NCS operations passes through a centralized AAA engine. Authentication can be connected to centralized authentication mechanisms via PAM.”
Need suggestions where to start for this to achieve.
Thanks in advance.
You will soon be able to post NCS questions at Cisco DevNet. For information on setting up External authentication on the NCS, you can refer to the AAA infrastructure Chapter of the NCS Administration Guide under the External authentication subsection of the Authentication section. Following is an answer for setting up external authentication when using ConfD.
In order to configure ConfD for external authentication such as via a remote LDAP server, you will need to configure the AAA portion of confd.conf and provide an external authentication program or shell script to interface with ConfD.
Following is the relevant portion of confd.conf for setting up external authentication:
<aaa>
<sshServerKeyDir>./ssh-keydir</sshServerKeyDir>
<authOrder>externalAuthentication</authOrder>
<externalAuthentication>
<enabled>true</enabled>
<executable>./auth.sh</executable>
<includeExtra>false</includeExtra>
</externalAuthentication>
</aaa>
in which auth.sh is the external authentication shell script. You can also use an executable instead of a shell script.
When connecting to ConfD’s NETCONF server, such as using netconf-console, ConfD will send the following string to stdin of your external authentication program:
[user;password;]\n
Upon successful authentication, your external authentication program should pass the following string to stdout and then exit:
accept $groups $uid $gid $supplementary_gids $HOME\n
where
• $groups is a space separated list of the group names the user is a member of.
• $uid is the UNIX integer user id NCS should use as default when executing commands for this user.
• $gid is the UNIX integer group id NCS should use as default when executing commands for this user.
• $supplementary_gids is a (possibly empty) space separated list of additional UNIX group ids the user is also a member of.
• $HOME is the directory which should be used as HOME for this user when NCS executes commands on behalf of this user.
Following is a simple version of a shell script that deals with hardcoded user credentials:
$ cat auth.sh
read LINE
echo ${LINE} > auth-input.txt
echo "accept $groups $uid $gid $supplementary_gids $HOME"
You can refer to Chapter 14.4.4, External authentication, of the ConfD 5.4 User Guide for more information.
Hi Waitai,
Thanks for your response. I have modified ncs.conf and enabled externalAuthentication with executable sh file. And updated /etc/ldap/ldap.conf to add ldap BASE and URI. But still not able to login. This is what I see in NCS log:
“External auth program ret bad output: ./mytestauth.sh: 4: ./mytestauth.sh: accept /root\n: not found”.
Am I missing anything here. Please suggest.
Thanks in advance.
Hi Raghuram,
This is a User Community for ConfD questions only. Please redirect your NCS question to your previous channel of support for NCS questions.
Regards,
Wai