Unsolved
1 Rookie
•
1 Message
•
4 Points
0
29
May 28th, 2026 09:01
OS10.6.1.1.67 LDAP authentification for a specific group
Hello,
First of all thank you for reading this post and your help.
I would like to let only specific groupmembers be able to get privilege 15 on my Switches using LDAP authentification.
The log on my syslog shows that a groupName is retrieved based on MemberOf : admins.
May 28 09:12:42 switchname sshd[1009543] Node.1-Unit.1:PRI [audit], Dell (OS10) pam_dn_ldap: update_groupName() - GroupName retrieved based on Memberof : admins
And is then Mapped to userrole netoperator
May 28 09:12:42 switchname sshd[1009543] Node.1-Unit.1:PRI [audit], Dell (OS10) pam_dn_ldap: pam_sm_authenticate() - pw_gid=994, gid=994, gr_name=netoperator
May 28 09:12:42 switchname sshd[1009543] Node.1-Unit.1:PRI [audit], Dell (OS10) pam_dn_ldap: pam_sm_authenticate() - Role receiveid from the Server : admins
May 28 09:12:42 switchname sshd[1009543] Node.1-Unit.1:PRI [audit], Dell (OS10) pam_dn_ldap: pam_ldap_map_user_role_to_system_role() - Mapped user role "admins" to default system role "netoperator"
May 28 09:12:42 switchname sshd[1009543] Node.1-Unit.1:PRI [audit], Dell (OS10) pam_dn_ldap: pam_sm_authenticate() - Updated Role after mapping to system_role : netoperator
May 28 09:12:42 switchname sshd[1009543] Node.1-Unit.1:PRI [audit], Dell (OS10) pam_dn_ldap: pam_sm_authenticate() - PAM LDAP accept user m1gast with role "netoperator"
May 28 09:12:42 switchname sshd[1009543] Node.1-Unit.1:PRI [audit], Dell (OS10) pam_dn_ldap: pam_sm_authenticate() - post_check done, return succcess
If I use "userrole admins inherit sysadmin" i would get the right privilege level 15, but i don't want to use the LDAP group admins, i would like to use the group sudoers_ca which is also in the LDAP user entry.
Both groups are seen by pam_dn_ldap as shown in the following logs:
May 28 09:12:42 switchname sshd[1009543] Node.1-Unit.1:PRI [audit], Dell (OS10) pam_dn_ldap: update_attributes_from_entry() - Attribute & Value Pair : memberOf: cn=admins,cn=groups,cn=accounts,dc=de,dc=bw
May 28 09:12:42 switchname sshd[1009543] Node.1-Unit.1:PRI [audit], Dell (OS10) pam_dn_ldap: update_attributes_from_entry() - Attribute & Value Pair : memberOf: cn=sudoers_ca,cn=groups,cn=accounts,dc=de,dc=bw
My guess is that admins is chosen because it comes first. Can i somehow dictate which group should be used from the LDAP user entry? So that i can use the command "userrole sudoers_ca inherit sysadmin".