libnetconf2 icon indicating copy to clipboard operation
libnetconf2 copied to clipboard
verified publisher icon CESNET

LDAP user need to configure in client-authentication

Open Pengwei-Chen-1 opened this issue 6 months ago • 1 comments

We used the LDAP server user to login our NETCONF server, as you know, they authenticate by PAM. Previous we used the libnetconf2 version 2.1.34 and works well. Now we upgrade the libnetconf2 to 3.0.8, and the YANG files also changed a lot, include the ietf-ssh-server. And we found that the LDAP user must configured in the ietf-netconf-server/ssh-server-parameters/client-authentication/users/user, otherwise the login will failed with below log:

2025-06-27 17:08:05 [INF] LN: Received an SSH message "request-service" of subtype "ssh-userauth".
2025-06-27 17:08:05 [INF] LN: Received an SSH message "request-auth" of subtype "none".
2025-06-27 17:08:05 [ERR] LN: User "ng4507" not known by the server.
2025-06-27 17:08:06 [INF] LN: Received an SSH message "request-auth" of subtype "password".
2025-06-27 17:08:06 [ERR] LN: User "ng4507" not known by the server.
[2025/06/27 17:08:06.136199, 1] ssh_packet_disconnect_callback:  Received SSH_MSG_DISCONNECT: 11:Bye Bye
2025-06-27 17:08:06 [ERR] LN: Communication SSH socket unexpectedly closed.

Now our ietf-netconf-server configuration as below:

  <netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
    <listen>
      <endpoints>
        <endpoint>
          <name>default-ssh</name>
          <ssh>
            <tcp-server-parameters>
              <local-address>x.x.x.x</local-address>
            </tcp-server-parameters>
            <ssh-server-parameters>
              ......
              <client-authentication>
                <users>
                  <user>
                    <name>ng4507</name>
                    <keyboard-interactive xmlns="urn:cesnet:libnetconf2-netconf-server">
                      <use-system-auth/>
                    </keyboard-interactive>
                  </user>
                </users>
              </client-authentication>
            </ssh-server-parameters>
          </ssh>
        </endpoint>
      </endpoints>
    </listen>
  </netconf-server>

But I also found that which also discuss this problem before: Authenticate users with central user management, and the related code changes: Support SSH authentication for non-configured users

So, my questions are:

  1. If I want to keep the current libnetconf2 version 3.0.8, does it means I MUST to configure all login users in ietf-netconf-server ? no matter local user or LDAP user?
  2. If I upgrade to version 3.3.3, does it means: I can disable the feature local-users-supported in the ietf-ssh-server module, and no need to configure any user in the ietf-netconf-server ? The uses login will use the system shadow/pam to authentication?

I‘m really hope you can answer my question, thanks so mush.

Pengwei-Chen-1 avatar Jun 27 '25 13:06 Pengwei-Chen-1

Hi,

If I want to keep the current libnetconf2 version 3.0.8, does it means I MUST to configure all login users in ietf-netconf-server ? no matter local user or LDAP user?

Yes, you would need to configure them all with their respective authentication methods.

If I upgrade to version 3.3.3, does it means: I can disable the feature local-users-supported in the ietf-ssh-server module, and no need to configure any user in the ietf-netconf-server ? The uses login will use the system shadow/pam to authentication?

Correct, also note that the authentication method used will be determined based on the client's request.

Roytak avatar Jun 30 '25 07:06 Roytak

hi @Roytak Thanks your confirmation, I will try to upgrade to the new libnetconf2 version. This issue can closed now.

Pengwei-Chen-1 avatar Jul 02 '25 05:07 Pengwei-Chen-1