Hi everyone,
We’re currently using the same externalauth script in confd for LDAP-based user authentication across multiple interfaces:
-
CLI login via SSH: ssh -p 2024 user@<IP>
-
Central/Grafana GUI login using LDAP search: /usr/bin/ldapsearch -D cn=${USER_NAME},dc=cisco,dc=com -H ldaps://orchestrator:636 -w ${PASSWORD} -b dc=cisco,dc=com cn=${USER_NAME}
The issue I’m facing is that I need to add some conditional logic to the script that behaves differently depending on whether the login attempt is coming from the CLI or the GUI.
Is there a reliable way to detect or differentiate the caller context within the externalauth script itself? For example, can we identify if the script was triggered by an SSH login versus a GUI login?
Any insights or workarounds would be greatly appreciated!
Thanks in advance.
Or is there any way to configure different script inside the confd for CLI interface login only?
Hi Vinuta,
The ConfD User Guide mentions this configuration option, which is disabled per default:
/confdConfig/aaa/externalAuthentication/includeExtra (boolean) [false]
When set to ‘true’, additional information items will be provided to the executable: source IP address and port, context, and protocol. I.e. the complete format will be ‘[${USER};${PASS};${IP}; ${PORT};${CONTEXT};${PROTO};]\n’. Example: ‘[bob;secret;192.168.1.1;12345;cli;ssh;]\n’.
Please update the ticket when you can tell if it works to access the information in the external authentication script after enabling this option
1 Like
Hi @metakidu ,
After enabling the includeExtra flag, I was able to view the context in the externalauth script.
It helped me to differentiate the caller of the script.
Thanks so much for your help,
Vinuta MB
2 Likes