Bug 761 - LDAPS support for admin|AS-14161|
Review Request #303 — Created June 27, 2024 and submitted — Latest diff uploaded
| Information | |
|---|---|
| kdutta | |
| APV10 | |
| rel_apv_10_7 | |
| 761 | |
| Reviewers | |
| prajesh, tanya | |
Bug 761 - LDAPS support for admin|AS-14161|
Use below link for all the information
http://192.168.100.19/r/285
AN(config)#admin aaa server ldaps ?
clientcert Import PEM client certificate
clientkey Import PEM client key
rootca Import CA certificate used for client authentication
settings Configure external authentication server
skipverify Turn off certificate verificationIf user belong to specific group who administrative access
login as: kdutta@arraylab.in
kdutta@arraylab.in@192.168.162.126's password:
Last login: Thu Jun 20 03:28:55 2024 from 192.168.172.5
ArrayOS Rel.APV.10.7.0.9.2 - untagged unofficial build by uid=0(root) gid=0(root) groups=0(root) on DevAnsuk: on Wed Jun 19 03:44:59 2024
Copyright (c) 2000-2024 Array Networks Inc. All rights reserved.Type "?" for available commands
!!Reminder!! Please log on to the WebUI to register this system.
xXQDXOJpp.>en
Enable password:xXQDXOJpp.#
xXQDXOJpp.#c txXQDXOJpp.(config)#
If user does not belong to specific group who has administrative access
login as: kdutta@arraylab.in
kdutta@arraylab.in@192.168.162.126's password:
Last login: Thu Jun 20 03:28:55 2024 from 192.168.172.5
ArrayOS Rel.APV.10.7.0.9.2 - untagged unofficial build by uid=0(root) gid=0(root) groups=0(root) on DevAnsuk: on Wed Jun 19 03:44:59 2024
Copyright (c) 2000-2024 Array Networks Inc. All rights reserved.Type "?" for available commands
!!Reminder!! Please log on to the WebUI to register this system.
xXQDXOJpp.>en
Enable password:xXQDXOJpp.#
xXQDXOJpp.#c t
You are enable user, config mode entrance denied.
Failed to execute "c t"xXQDXOJpp.#
Logs with Certificate Verification Enable and invalid certificate
Thu Jun 27 03:31:20 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.IN:636
Thu Jun 27 03:31:20 2024 Enable certificate verification
Thu Jun 27 03:31:20 2024 LDAPS login failed: Can't contact LDAP server for user kdutta@arraylab.in.
Logs with Certificate Verification Enable and valid certificate
Thu Jun 27 03:04:30 2024 SSH 2: admin aaa on 1, the mapped user [array] found
Thu Jun 27 03:04:35 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.IN:636Thu Jun 27 03:04:35 2024 Enable certificate verification
Thu Jun 27 03:04:35 2024 LDAPS login failed: Invalid credentials for user kdutta@arraylab.in.
Thu Jun 27 03:04:44 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.IN:636
Thu Jun 27 03:04:44 2024 Enable certificate verification
Thu Jun 27 03:04:44 2024 LDAPS bind successful for user kdutta@arraylab.in.
Thu Jun 27 03:04:44 2024 LDAPS search successful for user kdutta@arraylab.in.
Thu Jun 27 03:04:44 2024 LDAPS authorization success for user kdutta@arraylab.in.
Thu Jun 27 03:05:11 2024 SSH 2: admin aaa on 1, the mapped user [array] found
Thu Jun 27 03:05:13 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.IN:636Thu Jun 27 03:05:13 2024 Enable certificate verification
Thu Jun 27 03:05:13 2024 LDAPS login failed: Invalid credentials for user array.
Thu Jun 27 03:05:15 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.IN:636
Thu Jun 27 03:05:15 2024 Enable certificate verification
Thu Jun 27 03:05:15 2024 LDAPS login failed: Invalid credentials for user array.
Thu Jun 27 03:05:48 2024 SSH 2: admin aaa on 1, the mapped user [array] found
Thu Jun 27 03:05:56 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.IN:636Thu Jun 27 03:05:56 2024 Enable certificate verification
Thu Jun 27 03:05:56 2024 LDAPS bind successful for user kdutta@arraylab.in.
Thu Jun 27 03:05:56 2024 LDAPS search successful for user kdutta@arraylab.in.
Thu Jun 27 03:05:56 2024 LDAPS authorization failed for user kdutta@arraylab.in.
Thu Jun 27 03:06:31 2024 SSH 2: admin aaa on 1, the mapped user [array] found
Thu Jun 27 03:06:32 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.IN:636Thu Jun 27 03:06:32 2024 Enable certificate verification
Thu Jun 27 03:06:32 2024 LDAPS bind successful for user kdutta@arraylab.in.
Thu Jun 27 03:06:32 2024 LDAPS search failed: No such object for user kdutta@arraylab.in.
Thu Jun 27 03:06:51 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.IN:636
Thu Jun 27 03:06:51 2024 Enable certificate verification
Thu Jun 27 03:06:51 2024 LDAPS bind successful for user kdutta@arraylab.in.
Thu Jun 27 03:06:51 2024 LDAPS search failed: No such object for user kdutta@arraylab.in.
Thu Jun 27 03:07:54 2024 SSH 2: admin aaa on 1, the mapped user [array] found
Thu Jun 27 03:07:55 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.OUT:636Thu Jun 27 03:07:55 2024 Enable certificate verification
Thu Jun 27 03:07:55 2024 LDAPS login failed: Can't contact LDAP server for user kdutta@arraylab.in.
Logs with Certificate Verification Disable
Thu Jun 27 03:34:22 2024 ldap_uri ldaps://ARRAY-BLR-AD.ARRAYLAB.IN:636
Thu Jun 27 03:34:22 2024 Skip certificate verification
Thu Jun 27 03:34:22 2024 LDAPS login successful for user kdutta@arraylab.in.
Thu Jun 27 03:34:22 2024 LDAPS search successful for user kdutta@arraylab.in.
Thu Jun 27 03:34:22 2024 LDAPS authorization success for user kdutta@arraylab.in.
Configuration CLI
xXQDXOJpp.(config)#show admin aaa all
admin aaa on 1
admin aaa authorize on
admin aaa method LDAPS
admin aaa server ldaps settings es04 "ARRAY-BLR-AD.ARRAYLAB.IN" 636 "OU=Development,DC=ARRAYLAB,DC=IN" "CN=Engineering,OU=Development,DC=ARRAYLAB,DC=IN"
admin aaa server ldaps verifycert 1
----- Client Certificate -----
-----BEGIN CERTIFICATE-----
MIIF0zCCBLugAwIBAgITEgAAAA/JmDC+ouQUEwAAAAAADzANBgkqhkiG9w0BAQsF
ADBRMRIwEAYKCZImiZPyLGQBGRYCSU4xGDAWBgoJkiaJk/IsZAEZFghBUlJBWUxB
QjEhMB8GA1UEAxMYQVJSQVlMQUItQVJSQVktQkxSLUFELUNBMB4XDTI0MDUzMTA4
MDE1MVoXDTI2MDUzMTA4MTE1MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL5A/II1DJ5TGvpATHx3tcIv6a0JNcacBa3RdTzzGqicEfDSzuyv1EQ+
M2hiypRIHpplFyDI7cYuN6qB5HK3rk77zlpq4VaGC4d/OLeiNRv3qHivTGtf7AVY
GVDCL0AGe6ZFI+uli7vLRL81026MSVAzrGYCCm5+12w/Up65uuDPJboGATw9zvzE
ATOX7cJvkm+LE55yO+yNMCmY7N4ag3G3GBxRj41/dgVqi3hsZID0tk1o0Wpw7LFf
pG6zdvLrjsFgq08Yp50WO+43WOh9tjwcarYOTS4fkCdBXm7ZVjezQ59looaLSyJd
tpQukH4jzSLU8Ffm4mRgqT4am6jAEe0CAwEAAaOCAvMwggLvMD0GCSsGAQQBgjcV
BwQwMC4GJisGAQQBgjcVCIb6tV+BmoIKhdGFC4Phg0eGhcwYM4X9khiF4o1IAgFk
AgEDMDIGA1UdJQQrMCkGBysGAQUCAwUGCisGAQQBgjcUAgIGCCsGAQUFBwMBBggr
BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAJBgcrBgEF
AgMFMAwGCisGAQQBgjcUAgIwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwHQYDVR0O
BBYEFA51U9e9XRWgP03Nk/EUvVh6S9uNMB8GA1UdIwQYMBaAFGTgtdLTvecet7eF
wa067VYjUjn9MIHbBgNVHR8EgdMwgdAwgc2ggcqggceGgcRsZGFwOi8vL0NOPUFS
UkFZTEFCLUFSUkFZLUJMUi1BRC1DQSxDTj1BUlJBWS1CTFItQUQsQ049Q0RQLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9QVJSQVlMQUIsREM9SU4/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlz
dD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHKBggrBgEF
BQcBAQSBvTCBujCBtwYIKwYBBQUHMAKGgapsZGFwOi8vL0NOPUFSUkFZTEFCLUFS
UkFZLUJMUi1BRC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1BUlJBWUxBQixEQz1JTj9j
QUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhv
cml0eTA9BgNVHREBAf8EMzAxghhBUlJBWS1CTFItQUQuQVJSQVlMQUIuSU6CC0FS
UkFZTEFCLklOgghBUlJBWUxBQjANBgkqhkiG9w0BAQsFAAOCAQEAx1/jvWgy5tnM
lrKWkz7seN37eLJip8Jo8aAjWESYAaZjCW+a+/h8KDlDRH1ooQPdE+FSsg/aKqOp
gh6BAKgSEDMYgr8JuRE9UvH09v05FxSvXlusUEsYBTLJFjDZ92k9ng0MKKkM6rSs
c9oQ9JSWM0UrPT4cKVx/57/EN1Xun7beaDKxT8Wq+uvgFmgXVcBU7f7TMKUsm8RB
PhV265XUtw2jlk0ETlNFRr4tOfdmGjYFjd+FITCKjJCd9Ksb9fqmSgEmwUgvAorQ
BVqDQR2tBpC8TBZUQrrY4b0FQXeI2qchiG08uGVDTTb58KKhVi3MzZw4Lc2ifuvI
r//3Jz1ciA==
-----END CERTIFICATE-----
----- Root CA -----
-----BEGIN CERTIFICATE-----
MIIDfTCCAmWgAwIBAgIQLm876mIDrJREaQopaAdAQjANBgkqhkiG9w0BAQsFADBR
MRIwEAYKCZImiZPyLGQBGRYCSU4xGDAWBgoJkiaJk/IsZAEZFghBUlJBWUxBQjEh
MB8GA1UEAxMYQVJSQVlMQUItQVJSQVktQkxSLUFELUNBMB4XDTI0MDIyODE4MDY1
MloXDTI5MDIyODE4MTY1MlowUTESMBAGCgmSJomT8ixkARkWAklOMRgwFgYKCZIm
iZPyLGQBGRYIQVJSQVlMQUIxITAfBgNVBAMTGEFSUkFZTEFCLUFSUkFZLUJMUi1B
RC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPm/IQmRi4jru4fe
8uJ6aMq6dm+bJWV/jQ69IXECWKrMXTcu2KhirTVo0xnO4mjF1VHka2o1Y8726W3h
+0zgjsY2ursq6/IibkRf00s15lwwGnq5vaU0Mcq3xLkuYnpK1KZApO4onxS+1eQZ
lyD2iZWWzYI+acs3iFSlLUyIXa2zKwjZVgRv0h543EdUu4qheXA0csYf9do2brsS
JvXzv5ZoWMWLx+iabjid/lQkiq1+5sbKcm2Ii/uXqTvmza5F/84DfTrqnA83GaIm
LYPsF2gDGtoh0yHtja2aBEzq1NOyi86d2H3zBzWZFd3dD8YTF04O2EQ8dxzMNSVn
69j24a0CAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFGTgtdLTvecet7eFwa067VYjUjn9MBAGCSsGAQQBgjcVAQQDAgEAMA0G
CSqGSIb3DQEBCwUAA4IBAQCOfKVGc5lRgMi65iKiaKcq2go45mx+MAniIXbKxwXO
xogB4Hoocdq8Crt2/Nn4bqxYysPfCzb+ZNjjz2FJBGyNMY1V7KG+R56g4Rye+2cf
NTFMUPlbyoYDRpZs+13tEXwA2DnG7Vwz57qoKarC4ArJT4hK5UGW9Y5S0PhBZxf4
+dBkrxK6ZdImBdu9vUjiS4VRhXQ/FCvjIcx/gngKhJM9XmoBfGmTb7xhlnqSreYD
DisLmwsE+jm2fzvWE0U3K5QAsH48j8xyhykato23WH9RRpLkdsqEFNUOP4kSU8IZ
LQFcKl4TkfpmueYytzmyALtUN0kuTEIEvBgnFX5tV6Z3
-----END CERTIFICATE-----xXQDXOJpp.(config)
xXQDXOJpp.#show admin aaa all
admin aaa on 1
admin aaa authorize on
admin aaa method LDAPS
admin aaa server ldaps settings es04 "ARRAY-BLR-AD.ARRAYLAB.IN" 636 "OU=Development,DC=ARRAYLAB,DC=IN" "CN=Engineering,OU=Development,DC=ARRAYLAB,DC=IN"
admin aaa server ldaps verifycert 0xXQDXOJpp.#c t
xXQDXOJpp.(config)#clear ad
xXQDXOJpp.(config)#clear admin aaa all
xXQDXOJpp.(config)#sh adm
xXQDXOJpp.(config)#show admin aaa all
admin aaa off
admin aaa authorize off
admin aaa method RADIUSxXQDXOJpp.(config)#admin aaa authorize on
xXQDXOJpp.(config)#admin aaa method ?
method name(RADIUS or TAC_X or LDAP or LDAPS , default is RADIUS)xXQDXOJpp.(config)#admin aaa method LDAPS
xXQDXOJpp.(config)#admin aaa server ldaps ?
clientcert Import PEM client certificate
clientkey Import PEM client key
rootca Import CA certificate used for client authentication
settings Configure external authentication server settings
verifycert Enable/Disable certificate verificationxXQDXOJpp.(config)#admin aaa server ldaps settings ?
id, es04(request will be sent to server es04)xXQDXOJpp.(config)#admin aaa server ldaps settings es04 ?
Host name or ip addressxXQDXOJpp.(config)#admin aaa server ldaps settings es04 "ARRAY-BLR-AD.ARRAYLA$
PortxXQDXOJpp.(config)#admin aaa server ldaps settings es04 "ARRAY-BLR-AD.ARRAYLA$
dn (Ex. OU=Eng,dc=example,dc=in)xXQDXOJpp.(config)#admin aaa server ldaps settings es04 "ARRAY-BLR-AD.ARRAYLA$
memberOf (Ex. CN=Engineering,DC=example,DC=in)xXQDXOJpp.(config)#admin aaa server ldaps settings es04 "ARRAY-BLR-AD.ARRAYLA$
xXQDXOJpp.(config)#admin aaa server ldaps ?
clientcert Import PEM client certificate
clientkey Import PEM client key
rootca Import CA certificate used for client authentication
settings Configure external authentication server settings
verifycert Enable/Disable certificate verificationxXQDXOJpp.(config)#admin aaa server ldaps ver
xXQDXOJpp.(config)#admin aaa server ldaps verifycert ?
Set 1 to enable certificate verification. (Default = 0)xXQDXOJpp.(config)#admin aaa server ldaps verifycert 1
xXQDXOJpp.(config)#adm
xXQDXOJpp.(config)#admin aa
xXQDXOJpp.(config)#admin aaa server ldaps clientcert ?
FTP, TFTP or HTTP URLxXQDXOJpp.(config)#admin aaa server ldaps clientcert http://192.168.162.155/cl$
PEM format.
Client certificate import successful Specific informationxXQDXOJpp.(config)#admin aaa server ldaps rootc http://192.168.162.155/client_$
PEM format.
Rootca certificate import successful Specific informationxXQDXOJpp.(config)#
Wrong format indication (Only PEM support)
xXQDXOJpp.(config)#admin aaa server ldaps rootc http://192.168.162.155/ad_new.$
PKCS #12 or IIS 5 format
Certificate import failed..try again
wrong format or wrong password
Failed to execute "admin aaa server ldaps rootc http://192.168.162.155/ad_new.pfx"xXQDXOJpp.(config)#
no cli
xXQDXOJpp.(config)#no admin aaa server ?
ldap Delete external authentication server
ldaps Delete external authentication server
radiustacacs Delete external authentication serverxXQDXOJpp.(config)#no admin aaa server ldaps ?
clientcert Delete client certificate
clientkey Delete client key
rootca Delete CA certificate used for client authentication
settings Delete ldaps server settings
verifycert Disable certificate verificationxXQDXOJpp.(config)#