What can I help you with?
NVIDIA NVOS User Manual for NVLink Switches v25.02.2141
NVIDIA Docs Hub  NVIDIA Networking  Networking Software  Switch Software  NVIDIA NVOS User Manual for NVLink Switches v25.02.2141  LDAP Authentication and Authorization

On This Page

LDAP Authentication and Authorization

NVOS implements LDAP client AAA (Accounting, Authentication, and Authorization) in a transparent way with minimal configuration. There is no need to create accounts or directories on the switch.

NVOS uses Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) for user authentication. NSS enables PAM to use LDAP to provide user authentication, group mapping, and information for other services on the system.

Supported Features

  • Authentication using PAM: Supports login, SSH, sudo, and su.

  • Runs over the eth0 management interface.

  • Supports up to eight LDAP servers.

LDAP Configuration

LDAP configuration consists of two levels:

  1. Global Configuration: Settings that apply to all LDAP servers unless overridden.

  2. Per-Server Configuration: Specific settings for individual LDAP servers.

If a per-server configuration is not defined, the system will automatically use the settings from the global configuration.

All nv ldap commands are in LDAP Commands section. Global commands are under /system/aaa/ldap, and per-server commands are under /system/aaa/ldap/hostname/<hostname-id>.

LDAP Groups and User Priviledges

NVOS supports three types of users. User privileges are managed through the LDAP server by assigning users to specific LDAP groups. Membership in these groups determines the operations that a user is authorized to perform.

  1. Admin privileged users (nv set, nv config apply): 1000(admin), 4(adm), 27(sudo), 999(docker), 1001(redis), 997(nvset), 996(nvapply)

  2. Monitor privileged users (nv show): 4(adm), 998(nvshow)

  3. Non-privileged users (no nv commands access)

LDAP Server Group Configuration Example

Below is an example of configuring LDAP server groups. This configuration allows you to define a group of LDAP servers with common settings while enabling server-specific overrides when necessary.

Copy
Copied!
            

            
dn: cn=nvset,ou=People,dc=itzgeek,dc=local
objectClass: posixGroup
cn: nvset
gidNumber: 997
memberUid: adminuser


LDAP Secure Connection

The SSL section enables configuring the encryption mode for the LDAP client to ensure secure communication.

  • Supported Encryption Modes: start-tls,ssl.

  • Default CA Certificate Bundle: The LDAP client uses the default CA certificate bundle located at /etc/ssl/certs/ca-certificates.crt.

  • Certificate Validation: Certificate validation may be skipped using SSL settings cert-verify. When certificate validation is skipped, the certificate is used only to establish a secure connection, without verifying its authenticity.

Ensure proper configuration to maintain secure and reliable LDAP connections.

LDAP Client Simple Configuration Example

Below is a simple example of configuring an LDAP client. This setup includes basic global settings and per-server configuration.

Copy
Copied!
            

            
admin@nvos:~$ nv set system aaa ldap bind-dn <ldap-server-bind-dn>
admin@nvos:~$ nv set system aaa ldap secret "ldap-secret"
admin@nvos:~$ nv set system aaa ldap hostname <ldap-server-ip>
admin@nvos:~$ nv set system aaa ldap base-dn <ldap-server-base-dn>
# set global aaa configs
admin@nvos:~$ nv set system aaa authentication order ldap,local
admin@nvos:~$ nv config apply -y

LDAP Commands
© Copyright 2025, NVIDIA. Last updated on Apr 23, 2025.
content here