Option 4 - Configure Authentication Method
This section describes option 4 (Configure authentication method) from the Gateway System Settings option in the main menu. It is commonly used to enable SSH access using LDAP credentials.
This section describes option
4(Configure authentication method) from the Gateway System Settings option in the
Layer7 API Gatewaymain menu. It is commonly used to enable SSH access using LDAP credentials.
After configuring the authentication method using the directions below, you can update the settings using the Restricted Shell commands. For more information, see "Commands for Authentication Configuration" under Option 5 - Use Restricted Shell.
Use this option to configure the authentication method for users on this machine. Choose one of the following options and then complete the on-screen prompts.
- Local System:Authenticate user accounts locally, disabling any external authentication method. This is the default.
- RADIUS only:Authenticate users over the RADIUS protocol.Note:Using RADIUS-only authentication provides only a basic means to create a centralized authentication service that is not as secure as other methods.After configuring the RADIUS protocol, open a privileged shell and run this command once for each RADIUS-only user:# useradd - M <username>
- LDAP(S) only:Authenticate users against an LDAP(S) server.
- RADIUS with LDAP(S):Authenticate users over the RADIUS protocol with user information coming from LDAP(S).
You have a chance to review your settings at the end of the configuration wizard before the changes are applied.
When authenticating using RADIUS and/or LDAP, authentication will fall back to local authentication if communication with RADIUS or LDAP is not possible or if authentication fails.
To Configure Authentication Method on the Gateway
- Access the Gateway main menu.
- Select1(Configure system settings) and then4(Configure authentication method).
- Select2(LDAP) as the authentication method.
- Complete the authentication wizard as follows:
- Is the directory service to be used an Active Directory?y
- Do you want to use LDAPS (secure)?Enteryornas appropriate
- Enter the address of the LDAP server:Enter the address of the LDAP server (for example, "machine.mycompany.com").
- Enter the LDAP server port:The default port should suffice. Enter a custom port number if you know it has changed.
- Enter the LDAP base DN:Enter the Base DN that defines where the LDAP query begins looking for objects in the Active Directory (for example, "dc=example,dc=com")The scope attribute confines the search to the base, one level below, or to search through all lower levels. Specify the scope by enteringbase,one, orsub, respectively.
- Do you want to enable LDAP Anonymous Bind?Enteryornas appropriate for the needs of your organization. Anonymous binding is a bind request that uses simple authentication with no (that is, zero length) bind DN or password.If you enable LDAP Anonymous Bind, the next two prompts are not displayed.
- (If Anonymous Bind disabled) Enter the LDAP bind DN:Optionally specify the Bind DN (for example, cn=browse,cn=users,dc=example,dc=com).Without a secure communication, a bind user is required to query the LDAP contents. This account is a domain user with read access. The password for this user should be written to the/etc/ldap.secretfile and should not be visible as plain text.
- (If Anonymous Bind disabled) Enter the LDAP bind password:Enter the password for the LDAP browser user.
- Which object in the LDAP will be used to find the password for users:Specify the appropriate object. This is usually "CN=Users".
- Enter the object class that contains the attributes for creating the local user account:Specify the appropriate class. The default is often sufficient ("posixAccount, Default ActiveDirectory=user").
- Do you want to change the current setting:Entery.
- Select the filter for account access:pam_filter
- pam_filterfilters by account attributes. Example:"gidNumber=4000" grants access to accounts that have attribute "gidNumber" and the value is "4000".
- groupdnfilters by the full domain name of the target group that contains the list of memberUid.
- Enter the pam_filter to limit account access: Enter a gidNumber (for example: "gidNumber=501").
- Specify the PAM login attribute name:uid
- You should now see a summary of your configuration (example below). Review your settings carefully before applying the configuration.Authentication Configuration Summary-------------------------------------------------------Label | Value------------------------------------------------------------------------------Secure | falseActiveDirectory | falseServer | ad.example.com BaseDn | dc=example,dc=comPort | 389AnonymousBind | falseBindDn | CN=test,CN=Users,dc=l7net,dc=localBindPassword | <Hidden>Object for finding the password for users | CN=UsersCertificate Action | NEVERFilter for account access | gidNumber=501PAM login attribute | uid