Skip to main content
Start a Conversation

Unsolved

B

BinhTT

1 Rookie

 • 

5 Posts

185

August 27th, 2024 10:39

Configure LDAP groups associate with User Roles on Switch Dell S5248F-ON - SONiC Distribution v4.2.2

Hi Team,

We have Switch Dell EMC S5248F-ON installing SONiC Distribution v4.2.2 enterprise. 

This switch is planned to manage the access users by LDAP.

- group name "network-admins" for user role admin

- group name "network-view" for user role operation

In Fact, the switch connected the LDAP server successfully, and we can use LDAP users to access the switch.

However, we couldn't find any document regarding configuring LDAP groups associated with the User Roles of a switch.

Can anyone can help me for this case?

DELL-Charles R

Moderator

 • 

4.5K Posts

August 27th, 2024 15:27

Hello,

 

I found a potential solution that you can try.

Manual Configuration Method

To configure LDAP groups associated with User Roles on SONiC Distribution v4.2.2, you can try the following manual configuration method:

 

  1. Log in to the switch using a command-line interface (CLI) and navigate to the "system" context:

Copy Code

System

 

  1. Set the LDAP server details:

Copy Code

ldap-server<ldap-server-ip> <ldap-server-port>

 

Replace <ldap-server-ip> with the IP address of your LDAP server and <ldap-server-port> with the port number (usually 389 for LDAP or 636 for LDAPS).

 

  1. Set the LDAP authentication mechanism:

Copy Code

ldap-auth-mechanism simple

 

This sets the authentication mechanism to "simple" which is the default.

 

  1. Create a new role or edit an existing role to include the LDAP group:

Copy Code

role<role-name> ldap-group<ldap-group-name>

 

Replace <role-name> with the name of the role you want to create or edit, and <ldap-group-name> with the name of the LDAP group you want to associate with the role.

For example:

Copy Code

roleadminldap-groupcn=admins,dc=example,dc=com

 

This associates the "admin" role with the LDAP group "cn=admins,dc=example,dc=com".

 

  1. Save the configuration:

Copy Code

Save

 

  1. Apply the changes:

Copy Code

apply

 

Note: It's essential to verify the commands and syntax before applying them to your production environment.

 

Verification

To verify that the LDAP group is associated with the User Role, you can use the show role command:

Copy Code

showrole<role-name>

 

This command will display the role details, including the LDAP group associated with it.

 

 

BinhTT

1 Rookie

 • 

5 Posts

August 28th, 2024 03:53

Hi Charles R, 

Thanks for your response.

May I ask if the configuration method above for LDAP is on SONIC Distribution v4.2.2 enterprise?

Because i couldn't find out the syntax ldap commands like that on the switch

admin@SW-SONIC-01:~$ sonic-cli
SW-SONIC-01# configure
SW-SONIC-01(config)# ldap-server
  base                        Configure global base distinguished name
  bind-timelimit              Configure global connect time limit
  binddn                      Configure global distinguished name to bind
  bindpw                      Configure global credentials to bind
  host                        Configure host name or IP address for a LDAP server
  idle-timelimit              Configure global NSS idle time limit
  map                         Configure LDAP server for map
  nss                         Configure LDAP server for NSS
  nss-base-group              Configure global NSS search base for group map
  nss-base-netgroup           Configure global NSS search base for netgroup map
  nss-base-passwd             Configure global NSS search base for passwd map
  nss-base-shadow             Configure global NSS search base for shadow map
  nss-base-sudoers            Configure global NSS search base for sudoers map
  nss-initgroups-ignoreusers  Configure global NSS init groups ignore users
  nss-skipmembers             Configure NSS skipmembers
  pam                         Configure LDAP server for PAM
  pam-filter                  Configure global PAM filter
  pam-group-dn                Configure global PAM Group Distinguished name
  pam-login-attribute         Configure global PAM Login attribute
  pam-member-attribute        Configure global PAM Member attribute
  port                        Configure global server port
  retry                       Configure global retransmit attempt
  scope                       Configure global search scope
  source-interface            Configure source interface to be used as source IP for the LDAP packets
  ssl                         Configure global TLS configuration
  sudo                        Configure LDAP server for SUDO
  sudoers-base                Configure global sudo base distinguished name for queries
  sudoers-search-filter       Configure global sudo search filter for queries
  timelimit                   Configure global search time limit
  version                     Configure global LDAP version
  vrf                         Configure VRF to be used for LDAP server connection

SW-SONIC-01(config)# ldap-server

https://www.imghippo.com/i/lTYi91724817467.jpg

https://www.imghippo.com/i/nRd0a1724817716.jpg

(edited)

DELL-Joey C

Moderator

 • 

3.9K Posts

August 28th, 2024 08:05

Hi,

 

Probably you are looking for # ldap-server map

 

sonic(config)# ldap-server map remote-groups-override-to-sonic-roles AdminGroup to admin
sonic(config)# ldap-server map remote-groups-override-to-sonic-roles NetAdminGroup to netadmin
sonic(config)# ldap-server map remote-groups-override-to-sonic-roles SecAdminGroup to secadmin
sonic(config)# ldap-server map remote-groups-override-to-sonic-roles OperatorGroup to operator

(edited)

BinhTT

1 Rookie

 • 

5 Posts

August 28th, 2024 08:47

Hi @DELL-Joey C​ ,

I am doing the same way like that but it couldn't work. You can review my LDAP config in the description of this post.

I think it needs to be configured "search filter" for user in specific group of LDAP.

Can you please share a specific example of the same situation?

DELL-Joey C

Moderator

 • 

3.9K Posts

August 28th, 2024 09:47

Hi,

 

Could you update the version to v4.4 and try again the commands that I've provided. 

BinhTT

1 Rookie

 • 

5 Posts

August 29th, 2024 03:57

Hi @DELL-Joey C​ ,

I successfully upgraded the SONIC image from v4.2.2 to v4.4.0, but my problem remains. LDAP users of network-admins group can't assign Admin role

Can you please share a specific example of the same situation?

DELL-Joey C

Moderator

 • 

3.9K Posts

August 29th, 2024 07:19

Hi,

 

Thanks for the feedback. It seems that you have already configured LDAP map from the server to the switch role but if it is not working, I would suggest contacting the support directly to check on the switch logs and also the server's LDAP configuration. It seems to be having the correct configure on the switch. The support will need to check further. 

 

Let's give Charles a moment to see if he has something to suggest. Give him about 12 hours from my reply as he'll be back in shift. 

DELL-Charles R

Moderator

 • 

4.5K Posts

August 29th, 2024 13:06

Hello,

 

I'm sorry about that previous information. It does not seem applicable here.

 

Are you getting errors you can share?

BinhTT

1 Rookie

 • 

5 Posts

August 30th, 2024 07:36

Hi @DELL-Charles R​ ,

I couldn't any log regarding LDAP user login in logging.

Can you recommend where I can find the log?

Can you please guide me in contacting the support directly to check the switch logs and the server's LDAP configuration?

DELL-Chris H

Moderator

 • 

9.5K Posts

August 30th, 2024 12:13

In order to contact your local support you can follow this link and then enter the svc tag, that will route you to the correct group. 

 

As far as the log, the page here will walk you through pulling the logs. 

 

Was this post helpful?

View All

No Events found!

Top