• State Not Answered
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 2386 views
  • Users 0 members are here
Options
Related

LDAP Servers in SPS

dario guastella
over 3 years ago

I am attempting to configure the LDAP Servers in SPS to create a new "content policy" where i want to apply it on a active directory group. If a user is in the group cannot digit a specific command and if a user is not in the group can digit a specific command. I configured this sections but doesn't work: policy --> LDAP Servers, policies --> Content policy, SSH Control --> connections and SSH Control --> Channel policy

if there is a possibility to attach some picture i can show all the configurations

thank you very much.

Parents
  • 0 over 3 years ago

    Hello Dario,

    Can you check the following and see if this works?

    1. Policies > Content Policies > Select Commands radio button
    - Take action if the event contains any of the following strings or expressions: Add the command here

    - Apply this policy only to members of these gateway groups: Add the AD group here

    - Enable the check box: Log + Terminate Connection + any other actions as required

    2. SSH Control > Channel Policies > expand the channel policy > Under Type where Session Shell is selected > Content Policy: Select the content policy created in 1 here

    3. SSH Control > Authentication policies > Create a new LDAP Gateway Authentication policy:
    - Gateway authentication method: Password > Authentication backend: LDAP
    - Relayed authentication methods: can be any of the boxes you need here

    4. SSH Control > Connections > Expand the connection that will be used:

    Select all the policies created above:
    - SSH Setting: can be default for example
    - Authentication policy
    - Channel Policy that has the content policy associated
    - Usermapping policy > in case gateway and remote users are different (for example AD user on Gateway and remote being a local account on target machine)
    - LDAP Server policy

    5. Test again and let us know if any issues?

    Thanks!

  • 0 over 3 years ago in reply to Tawfiq.Ahmad

    i saw the syslog file (about the test of yesterday) and maybe could help us:

    Line 30610: 2021-03-05T11:29:15+01:00 pam-sps01-prod.eolo.it ldapservice[18094] [ERROR] (Thread-141) Exception <class 'ldapservice.ldap_operator.LdapOperatorError'> occured in 'LdapOperator.get_groups_by_prefix': get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 2, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n"}'
    Line 30611: 2021-03-05T11:29:15+01:00 pam-sps01-prod.eolo.it scb/web: ERROR (admin@10.40.241.91) Query error; get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 2, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n"}'
    Line 30613: 2021-03-05T11:29:19+01:00 pam-sps01-prod.eolo.it ldapservice[18094] [ERROR] (Thread-142) Exception <class 'ldapservice.ldap_operator.LdapOperatorError'> occured in 'LdapOperator.get_groups_by_prefix': get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 3, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n"}'
    Line 30614: 2021-03-05T11:29:19+01:00 pam-sps01-prod.eolo.it scb/web: ERROR (admin@10.40.241.91) Query error; get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 3, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n

Reply
  • 0 over 3 years ago in reply to Tawfiq.Ahmad

    i saw the syslog file (about the test of yesterday) and maybe could help us:

    Line 30610: 2021-03-05T11:29:15+01:00 pam-sps01-prod.eolo.it ldapservice[18094] [ERROR] (Thread-141) Exception <class 'ldapservice.ldap_operator.LdapOperatorError'> occured in 'LdapOperator.get_groups_by_prefix': get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 2, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n"}'
    Line 30611: 2021-03-05T11:29:15+01:00 pam-sps01-prod.eolo.it scb/web: ERROR (admin@10.40.241.91) Query error; get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 2, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n"}'
    Line 30613: 2021-03-05T11:29:19+01:00 pam-sps01-prod.eolo.it ldapservice[18094] [ERROR] (Thread-142) Exception <class 'ldapservice.ldap_operator.LdapOperatorError'> occured in 'LdapOperator.get_groups_by_prefix': get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 3, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n"}'
    Line 30614: 2021-03-05T11:29:19+01:00 pam-sps01-prod.eolo.it scb/web: ERROR (admin@10.40.241.91) Query error; get_groups_by_prefix failed; filter='(&(&(objectClass=group)(objectCategory=group))(cn=ONID_CVOCE_nopriv-cmd*))', error='{'desc': 'No such object', 'msg_id': 3, 'matched': 'DC=ngi,DC=hq', 'info': "0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'DC=ngi,DC=hq'\n

Children