snmp authentication local vs. ldap

Post Reply
dsdwn
Member
Posts: 4
Joined: 09 Feb 2011 18:19

snmp authentication local vs. ldap

Post by dsdwn » 09 Feb 2011 18:46

hello @ all

I am facing a bigger project with omniswitches with mid-2-high security requirements.

Cause of high number of switches I won't store snmp-credentials local (in case a change of credentials is required, I have to walk over every single switch with CLI [this my level of knowledge so far])

... so my questions:

- is there a secure way (reliable way) to change the snmp-credentials with omnivista ?
- any examples/recommendations/experience with ldap (DO's; NOGO's, OpenLDAP, AD, "??") ?
- only LOCAL & LDAP is supported for snmp-authentication in my 6.4.3-manuals [this my level of knowledge so far] ... is radius on the horizon ?

- for the CLI-way: I have tested ssh-expect-scripts with omniswitch-shell ... while the script's are functional with LINUX, Solaris etc. ; I can't get this working with omniswitches ??? any idea, special end-of-line-handling ... ??

links, tips & condolence are welcome

dsdwn
Member
Posts: 4
Joined: 09 Feb 2011 18:19

Re: snmp authentication local vs. ldap

Post by dsdwn » 16 Mar 2011 19:16

some ... google'ing ... altering ... :
... this is ssh scripting with "username-password" on the cli (without key-handling for first connect [or keyloss]...maybe I can (or you can) deliver this later)

LDAP-authentication for snmp on OmniVista's OpenLDAP isn't so easy ... the OpenLDAP examples that comes with the AOS-documentation are ... antique [carefully said] ... and my Dshell-knowledge for debugging this stuff is poor. (some wise men from india will have an eye on this ...)


Code: Select all

#!/usr/bin/expect -f
# Expect script to supply root/admin password for remote ssh server
# and execute command.
# This script needs three argument to(s) connect to remote server:
# password = Password of remote UNIX server, for root user.
# ipaddr = IP Addreess of remote UNIX server, no hostname
# scriptname = Path to remote script which will execute on remote server
# For example:
###############################################################
# ./ssh-robot.exp username password ipadresse [subscript]
###############################################################
# ------------------------------------------------------------------------
# Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ----------------------------------------------------------------------
# set Variables
set user [lrange $argv 0 0]
set password [lrange $argv 1 1]
set ipaddr [lrange $argv 2 2]
set scriptname [lrange $argv 3 3]
set arg1 [lrange $argv 4 4]
set timeout -1
# now connect to remote ALU box (ipaddr) with given script to execute
spawn ssh $user@$ipaddr
match_max 100000
# Look for passwod prompt
expect {*d:*}
#expect "*d:"
#expect "username password for keyboard-interactive method:"
# Send password aka $password
send -- "$password\r"
# for a "hostname#" prompt (otherwise expect other last char, if you prefer a more exalted prompt : )
expect {*#*} 
# send blank line (\r) to make sure we get back to gui
send -- "ls\r"
expect {*#*}
#expect eof
and surprise: ...

Code: Select all

---prompt---# ./ssh-robot.exp ---user--- ---password--- ---ip---
spawn ssh ---user---@---ip---
---user---'s password for keyboard-interactive method: 
 
  
Welcome to the Alcatel-Lucent OmniSwitch 9000
Software Version 6.4.3.668.R01 Service Release, December 06, 2010. 

Copyright(c), 1994-2010 Alcatel-Lucent. All Rights reserved.

OmniSwitch(TM) is a trademark of Alcatel-Lucent registered
in the United States Patent and Trademark Office.
  
---promptswitch---# ls

Listing Directory /flash:

drw      4096 Feb 28 12:55 certified/
-rw       315 Feb 28 12:55 boot.params 
drw      4096 Feb 28 12:53 switch/
-rw    500000 Feb 21 09:49 swlog1.log 
-rw    500000 Mar 16 23:46 swlog2.log 
drw      4096 Feb 28 12:55 working/
-rw   1517414 Feb 22 14:09 MemMon000.dmp 
drw      4096 Aug  9  2010 network/
-rw        40 Feb 28 12:19 lmLicense.dat 
-rw       256 Feb 28 12:08 random-seed 
-rw        20 Feb 28 12:12 installed 

        177979392 bytes free

---promptswitch---# ---prompt--- 


Post Reply

Return to “SNMP Configuration”