We are relatively new to netapp on tap and have been trying to configure LDAP (FreeIPA LDAP) on the ONTAP 9.8 simulator to allow LDAP users to login to the admin ssh. So far we have followed this documentation to create the client config and associate it with the cluster server, adding the addition auth methods to the ns-switch configuration, and adding the user to the security login configuration with the ldap application and nsswitch auth method.
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-adm-auth-rbac%2FGUID-21B12DB3-AE7D-447C-A9AC-77D7D260685A.html&lang=en
However we still are unable to authenticate with an ldap user to a ssh session to the management port. This is what the event log shows:
4/10/2021 00:42:43 node-01 NOTICE sshd.auth.loginDenied: message="Failed keyboard-interactive / pam for testuser1 from 172.16.239.1 port 53673 ssh2 "
4/10/2021 00:38:28 node-01 DEBUG secd.unexpectedFailure: vserver (Cluster) Unexpected failure. Error: Ldap Get full user info procedure failed
**[ 0] FAILURE: 'Ldap' configuration not available
Client Configuration, check, nsswitch and security login:
node::vserver services name-service ldap> show
Client
Vserver Configuration
-------------- -------------
node node
node::vserver services name-service ldap client> show
Client LDAP Active Directory Minimum
Vserver Configuration Servers Domain Schema Bind Level
------- ------------- --------------- ----------------- ----------- ----------
node node 172.16.239.12 - RFC-2307 simple
node::vserver services name-service ldap> check -vserver node
Vserver: node
Client Configuration Name: node
LDAP Status: up
LDAP Status Details: Successfully connected to LDAP server "172.16.239.12".
LDAP DN Status Details: All the configured DNs are available.
node::security login> show
Vserver: node
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
admin console password admin no none
admin http password admin no none
admin ontapi password admin no none
admin service-processor
password admin no none
admin ssh password admin no none
autosupport console password autosupport no none
testuser1 ssh nsswitch admin - none
node::vserver services name-service ns-switch> show
Source
Vserver Database Order
--------------- ------------ ---------
node hosts files,
dns
node group files
node passwd files,
ldap
svm0 hosts files,
dns
svm0 group files
svm0 passwd files
svm0 netgroup files
svm0 namemap files
8 entries were displayed.
running the access-check it certainly appears that it can query for the user and get the correct response (verified with ldapsearch on the ldap server).
node::vserver services*> access-check authentication show-ontap-admin-unix-creds -vserver node -unix-user-name testuser1
User Id: 1896000001
Group Id: 1896000001
Home Directory:
Login Shell: /bin/sh
We are wondering if the default schema RFC 2307 supports the FreeIPA centos 8 identity manager default configuration, or if we need to specify specific LDAP attributes for it to use during authentication...
Any help or suggestions are appreciated