LDAP Authentication and Authorization
NVOS implements LDAP client AAA (Accounting, Authentication, and Authorization) in a transparent way with minimal configuration. There is no need to create accounts or directories on the switch.
NVOS uses Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) for user authentication. NSS enables PAM to use LDAP to provide user authentication, group mapping, and information for other services on the system.
Authentication using PAM: Supports login, SSH,
sudo, andsu.Runs over the eth0 management interface.
Supports up to eight LDAP servers.
LDAP configuration consists of two levels:
Global Configuration: Settings that apply to all LDAP servers unless overridden.
Per-Server Configuration: Specific settings for individual LDAP servers.
If a per-server configuration is not defined, the system will automatically use the settings from the global configuration.
All nv ldap commands are in LDAP Commands section. Global commands are under /system/aaa/ldap, and per-server commands are under /system/aaa/ldap/server/<hostname-id>.
The LDAP server configuration assigns them to specific groups. The GID is now unique by default and can be assigned to any GID by design.
Admin privileged users: 4(adm), 27(sudo), 999(docker), 1001(redis), 995(nvaction), 997(nvapply)
Monitor privileged users: 4(adm), 998(nvshow)
Non-privileged users: No NV commands access
LDAP Server Group Configuration Example
Below is an example of configuring LDAP server groups. This configuration allows you to define a group of LDAP servers with common settings while enabling server-specific overrides when necessary.
dn: cn=nvset,ou=People,dc=itzgeek,dc=local
objectClass: posixGroup
cn: nvaction
gidNumber: 995
memberUid: adminuser
The SSL section enables configuring the encryption mode for the LDAP client to ensure secure communication.
Supported Encryption Modes:
start-tls,ssl.Default CA Certificate Bundle: The LDAP client uses the default CA certificate bundle located at
/etc/ssl/certs/ca-certificates.crt.Certificate Validation: Certificate validation may be skipped using SSL settings
cert-verify. When certificate validation is skipped, the certificate is used only to establish a secure connection, without verifying its authenticity.
Ensure proper configuration to maintain secure and reliable LDAP connections.
Below is a simple example of configuring an LDAP client. This setup includes basic global settings and per-server configuration.
admin@nvos:~$ nv set system aaa ldap bind-dn <ldap-server-bind-dn>
admin@nvos:~$ nv set system aaa ldap secret "ldap-secret"
admin@nvos:~$ nv set system aaa ldap server <ldap-server-ip>
admin@nvos:~$ nv set system aaa ldap base-dn <ldap-server-base-dn>
# set global aaa configs
admin@nvos:~$ nv set system aaa authentication order ldap,local
admin@nvos:~$ nv config apply -y
NVOS uses Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) for user authentication. NSS enables PAM to use LDAP to provide user authentication, group mapping, and information for other services on the system.
NSS specifies the order of the information sources that resolve names for each service. Using NSS with authentication and authorization provides the order and location for user lookup and group mapping on the system.
PAM handles the interaction between the user and the system, providing login handling, session setup, authentication of users, and authorization of user actions.
LDAP authentication is sensitive to network delay. For optimal performance, NVIDIA recommends a round trip time of 10ms or less between LDAP clients and the LDAP server. If latency is between 10-50ms, NVIDIA recommends changing the authentication order to prioritize local authentication before LDAP. For connections exceeding 50ms of latency, authentication might experience unacceptable delays; consider alternative authentication methods.
LDAP server settings can be configured with NVUE.
Connection
Configure the following connection settings:
The hostname or IP address of the LDAP server from which you want to import users. If you use multiple LDAP servers, you can also set a priority for each server.
The port number of the LDAP server if you are using a non-default port. The default port number for LDAP is TCP and UDP port 389.
Authenticated (Simple) BIND credentials. The BIND credentials are optional; if you do not specify the credentials, the switch assumes an anonymous bind. To use SASL (Simple Authentication and Security Layer) BIND, which provides authentication services using other mechanisms such as Kerberos, contact your LDAP server administrator for authentication information.
The following example configures the LDAP server and port, and the BIND credentials.
admin@nvos:~$ nv set system aaa ldap server ldapserver1
admin@nvos:~$ nv set system aaa ldap port 388
admin@nvos:~$ nv set system aaa ldap bind-dn CN=nvset-admin,CN=Users,DC=rtp,DC=example,DC=test
admin@nvos:~$ nv set system aaa ldap secret 1Q2w3e4r!
admin@nvos:~$ nv config apply
The following example sets the priority to 2 for ldapserver2 when using multiple LDAP servers:
admin@nvos:~$ nv set system aaa ldap server ldapserver2 priority 2
Set the Authentication Order
To prioritize the order in which NVOS attempts different authentication methods to verify user access to the switch, you set the authentication order. By default, NVOS verifies users according to their local passwords.
When AAA authentication failthrough is enabled, if you set the authentication order to start with LDAP, but the LDAP servers do not have the user in the directory or does not respond, NVOS tries local password authentication.
If no LDAP server is available, local authentication is applied.
To set the authentication order to start with LDAP before local authentication:
admin@nvos:~$ nv set system aaa authentication order ldap,local
admin@nvos:~$ nv config apply
Search Function
When an LDAP client requests information about a resource, the client must connect and bind to the server, then perform one or more resource queries depending on the lookup. All search queries to the LDAP server use the configured search base, filter, and the desired entry (uid=myuser). If the LDAP directory is large, this search takes a long time. Define a more specific search base for the common maps (passwd and group).
admin@nvos:~$ nv set system aaa ldap base-dn ou=support,dc=rtp,dc=example,dc=test
admin@nvos:~$ nv config apply
LDAP Version
NVOS uses LDAP version 3 by default. If you need to change the LDAP version to 2:
admin@nvos:~$ nv set system aaa ldap version 2
admin@nvos:~$ nv config apply
LDAP Timeouts
NVOS provides two timeout settings:
The bind timeout sets the number of seconds before the BIND operation times out. The default setting is 5 seconds.
The search timeout sets the number of seconds before the search times out. The default setting is 5 seconds.
The following example sets both the BIND session timeout and the search timeout to 60 seconds.
admin@nvos:~$ nv set system aaa ldap timeout-bind 60
admin@nvos:~$ nv set system aaa ldap timeout-search 60
admin@nvos:~$ nv config apply
SSL Options
You can configure the following SSL options:
SSL mode. You can specify,
none,ssl, orstart-tls.SL port.
SSL certificate validation.
SSL cipher suites. You can specify TLS1.2, TLS1.3, TLS-CIPHERS, or all.
SSL CRL check.
To use IPv6 with SSL or Start TLS, you must set the hostname of the LDAP server instead of the IPv6 address with the nv set system aaa ldap server <hostname> command. See Configure LDAP Server Settings.
The following example sets the SSL mode to SSL, the port to 8443, enables the SSL certificate checker, sets the SSL cipher suites to TLS1.3 and the Certificate Authorities List to /etc/ssl/certs/ca-certificates.crt
admin@nvos:~$ nv set system aaa ldap ssl mode ssl
admin@nvos:~$ nv set system aaa ldap ssl port 8443
admin@nvos:~$ nv set system aaa ldap ssl cert-verify enabled
admin@nvos:~$ nv set system aaa ldap ssl tls-ciphers TLS1.3
admin@nvos:~$ nv config apply
Show LDAP Settings
To show the LDAP configuration settings on the switch, run the following commands:
nv show system aaa ldap shows all the LDAP configuration settings.
nv show system aaa ldap server shows the configured LDAP servers and their priorities.
nv show system aaa ldap server <server-id> shows the priority for the specified LDAP server.
nv show system aaa ldap ssl shows the LDAP SSL configuration settings.
The following example shows all the LDAP configuration settings:
admin@nvos:~$ nv show system aaa ldap
operational applied
-------------- --------------------------------------------------- ---------------------------------------------------
bind-dn CN=nvset-admin,CN=Users,DC=rtp,DC=example,DC=test CN=nvset-admin,CN=Users,DC=rtp,DC=example,DC=test
base-dn ou=users,dc=example,dc=com ou=users,dc=example,dc=com
port 389 388
timeout-bind 5 5
timeout-search 5 5
secret $nvsec$4fb719e24167246947d4f746f58696fc $nvsec$4fb719e24167246947d4f746f58696fc
version 3 3
[server] ldapserver1 ldapserver1
ssl
mode ssl ssl
port 8443 8443
cert-verify enabled enabled
tls-ciphers TLS1.3 TLS1.3
...
The following example shows the configured LDAP servers and their priorities:
admin@nvos:~$ nv show system aaa ldap server
Hostname Priority
----------- --------
ldapserver1 1
ldapserver2 2
The following example shows the SSL configuration settings:
admin@nvos:~$ nv show system aaa ldap ssl
operational applied
----------- --------------------------------- ---------------------------------
mode ssl ssl
port 8443 8443
cert-verify enabled enabled
tls-ciphers TLS1.3 TLS1.3
The LDAP client daemon retrieves and caches password and group information from LDAP. To verify the LDAP interaction, use these command-line tools to trigger an LDAP query from the device.
Identify a User with the id Command
The id command performs a username lookup by following the lookup information sources in NSS for the passwd service. This returns the user ID, group ID and the group list retrieved from the information source. In the following example, the user admin is locally defined in /etc/passwd, and myuser is on LDAP. The NSS configuration has the passwd map configured with the sources compat ldap:
admin@radmin:~$ id admin
uid=1000(admin) gid=1000(admin) groups=1000(admin),4(adm),27(sudo),999(docker),1001(redis),996(nvaction),993(nvapply)
admin@nvos:~$ id myuser
uid=1230(myuser) gid=3000(Development) groups=3000(Development),500(Employees),27(sudo)
getent
The getent command retrieves all records found with NSS for a given map. It can also retrieve a specific entry under that map. You can perform tests with the passwd, group, shadow, or any other map in the /etc/nslcd.conf file. The output from this command formats according to the map requested. For the passwd service, the structure of the output is the same as the entries in /etc/passwd. The group map outputs the same structure as /etc/group.
In this example, looking up a specific user in the passwd map, the user admin is locally defined in /etc/passwd, and myuser is only in LDAP.
admin@radmin:~$ getent passwd admin
admin:x:1000:1000:System Administrator:/home/admin:/bin/bash
admin@nvos:~$ getent passwd myuser
myuser:x:1230:3000:My Test User:/home/myuser:/bin/bash
In the next example, looking up a specific group in the group service, the group admin is locally defined in /etc/groups, and netadmin is on LDAP.
admin@nvos:~$ getent group admin
admin:x:1000:
admin@nvos:~$ getent group netadmin
netadmin:*:502:larry,moe,curly,shemp
Running the command getent passwd or getent group without a specific request returns all local and LDAP entries for the passwd and group maps.