Start Free TrialLog in
Avatar of François Darveau
François DarveauFlag for Canada

asked on 

NX-OS LDAP authorization role assignation

Hi, I need  to configure LDAP on Nexus 9300, all users who will log in needs to be network-admin. I can authenticate but I struggle with the authorization part.

I tough of to ways doing it


1- Add members to Active directory Group, use a ldap-search-map to allow users to login,

SEARCH MAP  map10:
    User Profile :
        BaseDN: MY_OU,DC=TEST,DC=DC,DC=NET
        Attribute Name: memberOf
       Search Filter: (&(name=$userid)(memberOf=CN=My_Group,DC=TEST,DC=DC,DC=NET))

Open in new window

With map10, only the users in My_Group can log in, They get the default role : network-operator and I did not find a way to change the default-role


2- Add the role in a Active directory attribute Extensionattribute10 in combination with the AD group (shell:roles=network-admin))

SEARCH MAP  map11:
      User Profile :
        BaseDN: MY_OU,DC=TEST,DC=DC,DC=NET
        Attribute Name: Extensionattribute10
       Search Filter: (&(name=$userid)(memberOf=CN=My_Group,DC=TEST,DC=DC,DC=NET))

Open in new window

map11 is not working


How Can I control who is able to connect and assign a the role network-admin?

* Cisco NexusActive DirectoryCisco
Avatar of undefined
Last Comment
François Darveau
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Using the memberOf attribute won't work. You need to map a shell-profile to the user using the description attribute, or some other free-text attribute.

Have a look at this great writeup showing how to do it...
http://ccierants.blogspot.com/2013/07/ccie-dc-sort-of-ldap-authentication-to.html

ASKER CERTIFIED SOLUTION
Avatar of François Darveau
François Darveau
Flag of Canada image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Active Directory
Active Directory

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts

  • "Invaluable tool for our organization"

    Josh Regalski

  • "Your help has saved me hundreds of hours of internet surfing."

    @fblack61

  • "Just a dang good service!"

    @golferski

  • "Worth every penny."

    Steve Hougom

  • "It’s been a life saver."

    Maria Halt

  • "Best support site I’ve seen!"

    Bob Schneider

  • "I would be lost without them."

    @fblack61

  • "Saved my job multiple times."

    Walt Forbes

  • "I love this site."

    Maria Duwe

  • "Friendly respectful help."

    Andrew Kowtalo

  • "Such top-notch experts."

    @magento

  • "The best money I have ever spent."

    @rwheeler23

  • "Beyond any comprehensible value"

    George Morris

  • "Invaluable tool for our organization"

    Josh Regalski

Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent