LDAP Authentication and Authorization

NVOS implements LDAP client AAA (Accounting, Authentication, and Authorization) in a transparent way with minimal configuration. There is no need to create accounts or directories on the switch.

NVOS uses Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) for user authentication. NSS enables PAM to use LDAP to provide user authentication, group mapping, and information for other services on the system.

• Authentication using PAM: Supports login, SSH, sudo, and su.

• Runs over the eth0 management interface.

• Supports up to eight LDAP servers.

LDAP configuration consists of two levels:

1. Global Configuration: Settings that apply to all LDAP servers unless overridden.

2. Per-Server Configuration: Specific settings for individual LDAP servers.

If a per-server configuration is not defined, the system will automatically use the settings from the global configuration.

All nv ldap commands are in LDAP Commands section. Global commands are under /system/aaa/ldap, and per-server commands are under /system/aaa/ldap/hostname/<hostname-id>.

Prior to the introduction of RBAC (Role Based Access Control), NVOS supported three types of users. User privileges are managed through the LDAP server by assigning users to specific LDAP groups. Membership in these groups determined the operations that a user was authorized to perform.

1. Admin privileged users (nv set, nv config apply): 1000(admin), 4(adm), 27(sudo), 999(docker), 1001(redis), 997(nvset), 996(nvapply)

2. Monitor privileged users (nv show): 4(adm), 998(nvshow)

3. Non-privileged users (no nv commands access)

With RBAC, the types of users can differ and change. The LDAP server configuration assigns them to specific groups. The GID is now unique by default and can be assigned to any GID by design.

1. Admin privileged users: 4(adm), 27(sudo), 999(docker), 1001(redis), 998(nvaction), 995(nvapply) (only nvaction and nvapply were affected)

2. Monitor privileged users: 4(adm), 997(nvshow)

3. Non-privileged users: No NV commands access

LDAP Server Group Configuration Example

Below is an example of configuring LDAP server groups. This configuration allows you to define a group of LDAP servers with common settings while enabling server-specific overrides when necessary.

            

            
dn: cn=nvset,ou=People,dc=itzgeek,dc=local
objectClass: posixGroup
cn: nvaction
gidNumber: 998
memberUid: adminuser
        

The SSL section enables configuring the encryption mode for the LDAP client to ensure secure communication.

• Supported Encryption Modes: start-tls,ssl.

• Default CA Certificate Bundle: The LDAP client uses the default CA certificate bundle located at /etc/ssl/certs/ca-certificates.crt.

• Certificate Validation: Certificate validation may be skipped using SSL settings cert-verify. When certificate validation is skipped, the certificate is used only to establish a secure connection, without verifying its authenticity.

Ensure proper configuration to maintain secure and reliable LDAP connections.

Below is a simple example of configuring an LDAP client. This setup includes basic global settings and per-server configuration.

            

            
admin@nvos:~$ nv set system aaa ldap bind-dn <ldap-server-bind-dn>
admin@nvos:~$ nv set system aaa ldap secret "ldap-secret"
admin@nvos:~$ nv set system aaa ldap hostname <ldap-server-ip>
admin@nvos:~$ nv set system aaa ldap base-dn <ldap-server-base-dn>
# set global aaa configs
admin@nvos:~$ nv set system aaa authentication order ldap,local
admin@nvos:~$ nv config apply -y
        

• LDAP Commands