Cisco Support Community
Community Member

LDAP Authentication

I'm trying to setup LDAP Authentication for our MDS 9509's running 5.2(2) without success, I followed the "Sec Version 5" document. When I try to login and run "Debug ldap all" (on another session) to capture what is happening I get success for most of the steps except for "ldap_pss_move2key" with the error "no such pss key". I did setup a Private key before the step "aaa authorization ssh-publickey default group" as the documentation didn't mention to create one but surely it won't work without a public key.

Another thing, how does the role mapping work? Does everybody who login get default rights?


Everyone's tags (3)
Community Member

LDAP Authentication

I saw your thread and I too am looking to setup LDAP authentication for some MDS 9509 directors.

I did get LDAP Authentication to work without having to set "aaa authhorization ssh-publickey default group".

I applied (sAMAccountName=cn) as a filter to our user baseDN for the cn attribute as a userprofile filter.  That seemed to be the trick for getting LDAP authentication to work.

I used a bind DN/password with non-ssl (port 389) and specified the password as plain text (non-encrypted).

When I login via LDAP, I only have limited access due to the default role.  I have been looking for a way to specify the roles a user is assigned in the LDAP, but I don't understand how to set this up.

Once I get the roles assigned, I plan to change to SSL... but without figuring out how to assign users to a role, there's no point in adding that complexity yet.

Community Member

LDAP Authentication

I gave up on LDAP and went for Radius instead and had fun with that, I had to open a call with Cisco around password changing (see my other thread).

Good luck with the LDAP authentication, let us know how it goes?

Cisco Employee

LDAP Authentication

I tested in my lab and am trying to get SSL working for LDAP.  I was albe to pass the role back as part of the login process.  In my example, I used the LDPA field called 'departement' and in that field on the AD server for the authenticating account, I put the text in as 'network-admin' (minus the quotes)

This is my search map config.

ldap search-map s0

  userprofile attribute-name "department" search-filter "(&(objectclass=person)(cn=$userid))" base-DN "cn=users,dc=tsi-mike,dc=cisco,dc=com"

You can use any text field in the user profile to key in the roles attribute and then use that field name in the search map.

Hope this helps,


CreatePlease to create content