Option 4 - Configure Authentication Method

This section describes option 4 (Configure authentication method) from the Gateway System Settings option in the main menu. It is commonly used to enable SSH access using LDAP credentials.
gateway10
This section describes option 
4
 (Configure authentication method) from the Gateway System Settings option in the 
Layer7 API Gateway
 main menu. It is commonly used to enable SSH access using LDAP credentials.
After configuring the authentication method using the directions below, you can update the settings using the Restricted Shell commands. For more information, see "Commands for Authentication Configuration" under Option 5 - Use Restricted Shell.
Use this option to configure the authentication method for users on this machine. Choose one of the following options and then complete the on-screen prompts.
  •  
    Local System:
     Authenticate user accounts locally, disabling any external authentication method. This is the default.
  •  
    RADIUS only:
     Authenticate users over the RADIUS protocol. 
    Note:
    Using RADIUS-only authentication provides only a basic means to create a centralized authentication service that is not as secure as other methods.
    After configuring the RADIUS protocol, open a privileged shell and run this command once for each RADIUS-only user:
    # useradd - M <username>
  •  
    LDAP(S) only:
     Authenticate users against an LDAP(S) server.
  •  
    RADIUS with LDAP(S):
     Authenticate users over the RADIUS protocol with user information coming from LDAP(S).
You have a chance to review your settings at the end of the configuration wizard before the changes are applied.
 When authenticating using RADIUS and/or LDAP, authentication will fall back to local authentication if communication with RADIUS or LDAP is not possible or if authentication fails.
To Configure Authentication Method on the Gateway
  1. Access the Gateway main menu.
  2. Select 
    1
     (Configure system settings) and then 
    4
     (Configure authentication method).
  3. Select 
    2
     (LDAP) as the authentication method.
  4. Complete the authentication wizard as follows:
    1.  
      Is the directory service to be used an Active Directory?
       
      y
       
    2.  
      Do you want to use LDAPS (secure)?
       Enter 
      y
       or 
      n
       as appropriate
       
    3.  
      Enter the address of the LDAP server:
       Enter the address of the LDAP server (for example, "machine.mycompany.com").
    4.  
      Enter the LDAP server port:
       The default port should suffice. Enter a custom port number if you know it has changed.
    5.  
      Enter the LDAP base DN:
       Enter the Base DN that defines where the LDAP query begins looking for objects in the Active Directory (for example, "dc=example,dc=com")
       
      The scope attribute confines the search to the base, one level below, or to search through all lower levels. Specify the scope by entering 
      base
      one
      , or 
      sub
      , respectively.
    6.  
      Do you want to enable LDAP Anonymous Bind?
       Enter 
      y
       or 
      n
       as appropriate for the needs of your organization. Anonymous binding is a bind request that uses simple authentication with no (that is, zero length) bind DN or password.
       
      If you enable LDAP Anonymous Bind, the next two prompts are not displayed.
       
    7.  
      (If Anonymous Bind disabled) Enter the LDAP bind DN:
       Optionally specify the Bind DN (for example, cn=browse,cn=users,dc=example,dc=com).
       
      Without a secure communication, a bind user is required to query the LDAP contents. This account is a domain user with read access. The password for this user should be written to the 
      /etc/ldap.secret
       file and should not be visible as plain text.
    8.  
      (If Anonymous Bind disabled) Enter the LDAP bind password:
       Enter the password for the LDAP browser user.
    9.  
      Which object in the LDAP will be used to find the password for users:
       Specify the appropriate object. This is usually "CN=Users".
    10.  
      Enter the object class that contains the attributes for creating the local user account:
       Specify the appropriate class. The default is often sufficient ("posixAccount, Default ActiveDirectory=user").
    11.  
      Do you want to change the current setting:
       Enter 
      y
      .
    12.  
      Select the filter for account access:
       
      pam_filter
       
      •  
        pam_filter
         filters by account attributes. Example:"gidNumber=4000" grants access to accounts that have attribute "gidNumber" and the value is "4000".
      •  
        groupdn
         filters by the full domain name of the target group that contains the list of memberUid.
    13. Enter the pam_filter to limit account access: Enter a gidNumber (for example: "gidNumber=501").
    14. Specify the PAM login attribute name: 
      uid
       
  5. You should now see a summary of your configuration (example below). Review your settings carefully before applying the configuration.
    Authentication Configuration Summary
    -------------------------------------------------------
    Label | Value
    ------------------------------------------------------------------------------
    Secure | false
    ActiveDirectory | false
    Server | ad.example.com
    BaseDn | dc=example,dc=com
    Port | 389
    AnonymousBind | false
    BindDn | CN=test,CN=Users,dc=l7net,dc=local
    BindPassword | <Hidden>
    Object for finding the password for users | CN=Users
    Certificate Action | NEVER
    Filter for account access | gidNumber=501
    PAM login attribute | uid