LDAP Servers in SPS

Hello Dario,

Can you check the following and see if this works?

1. Policies > Content Policies > Select Commands radio button
- Take action if the event contains any of the following strings or expressions: Add the command here

- Apply this policy only to members of these gateway groups: Add the AD group here

- Enable the check box: Log + Terminate Connection + any other actions as required

2. SSH Control > Channel Policies > expand the channel policy > Under Type where Session Shell is selected > Content Policy: Select the content policy created in 1 here

3. SSH Control > Authentication policies > Create a new LDAP Gateway Authentication policy:
- Gateway authentication method: Password > Authentication backend: LDAP
- Relayed authentication methods: can be any of the boxes you need here

4. SSH Control > Connections > Expand the connection that will be used:

Select all the policies created above:
- SSH Setting: can be default for example
- Authentication policy
- Channel Policy that has the content policy associated
- Usermapping policy > in case gateway and remote users are different (for example AD user on Gateway and remote being a local account on target machine)
- LDAP Server policy

5. Test again and let us know if any issues?

Thanks!

Hello Dario,

Can you check the following and see if this works?

1. Policies > Content Policies > Select Commands radio button
- Take action if the event contains any of the following strings or expressions: Add the command here

- Apply this policy only to members of these gateway groups: Add the AD group here

- Enable the check box: Log + Terminate Connection + any other actions as required

2. SSH Control > Channel Policies > expand the channel policy > Under Type where Session Shell is selected > Content Policy: Select the content policy created in 1 here

3. SSH Control > Authentication policies > Create a new LDAP Gateway Authentication policy:
- Gateway authentication method: Password > Authentication backend: LDAP
- Relayed authentication methods: can be any of the boxes you need here

4. SSH Control > Connections > Expand the connection that will be used:

Select all the policies created above:
- SSH Setting: can be default for example
- Authentication policy
- Channel Policy that has the content policy associated
- Usermapping policy > in case gateway and remote users are different (for example AD user on Gateway and remote being a local account on target machine)
- LDAP Server policy

5. Test again and let us know if any issues?

Thanks!

Hi Tawfiq, first of all thank you so so so much. I followed step by step and everything was done. I only added the authentication policy (creating a new LDAP gateway policy) and set it in SSH --> connection policies under authentication policy. Now when i request a session for an asset in the window that appear it ask to me gateway username and gateway pw but i want to access automatically with user and pw o ssh key as i set in the entitlements (it dipends from the entitlements set for the specific asset). I think that the point is on the authentication policy created. I set:

- Gateway authentication method : password

- authentication backend: LDAP

- relayed authentication methods: password

if i could send you all the screenshots maybe is perfectly clear which are the configuration.

(here i think is not possible to attach any picture or other)

kind regards

adding: and if i try to put username and pw it display a pop up that says: "Remote side sent disconnect message type 11 (by application): "Gateway authorization failed"

i saw the syslog file (about the test of yesterday) and maybe could help us:

Line 30610: 2021-03-05T11:29:15+01:00 pam-sps01-prod.eolo.it ldapservice[18094] [ERROR] (Thread-141) Exception <class 'ldapservice.ldap_operator.LdapOperatorError'> occured in 'LdapOperator.get_groups_by_prefix': get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 2, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n"}'
Line 30611: 2021-03-05T11:29:15+01:00 pam-sps01-prod.eolo.it scb/web: ERROR (admin@10.40.241.91) Query error; get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 2, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n"}'
Line 30613: 2021-03-05T11:29:19+01:00 pam-sps01-prod.eolo.it ldapservice[18094] [ERROR] (Thread-142) Exception <class 'ldapservice.ldap_operator.LdapOperatorError'> occured in 'LdapOperator.get_groups_by_prefix': get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 3, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n"}'
Line 30614: 2021-03-05T11:29:19+01:00 pam-sps01-prod.eolo.it scb/web: ERROR (admin@10.40.241.91) Query error; get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 3, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n

Hi Dario,

Since this issue needs a bit more troubleshooting, I would recommend opening a service request and provide as much details as possible as to what the use case \ workflow which you need to accomplish (SPP initiated or SPS initiated) and you can add screen shots of the current configuration in SPP and SPS for this connection to the case. Also would be good to upload support bundles from both SPP and SPS to the case.

Thanks!

you are right, ok thank you. Have a great evening.