cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1732
Views
0
Helpful
9
Replies

Cisco Works and MS Active Directory authentication

tmowinski
Level 1
Level 1

Hi

I have configured Common Services to use AD - ldap authentication. And it works but now after logon, I don't have sufficient privileges to change anythings in CiscoWorks (for instance I can't change aaa parameters now). Is another way to logon local or I have to disconect CW server from ldap server ? How CW give provileges to account from AD ?

thanks in advance

Tomek

9 Replies 9

vergeerf
Level 1
Level 1

the authorization is done via the local ciscoworks lms database. So the username used in ldap should be available in the local ciscoworks database with the appropriate user role. If no username found the user will be the helpdesk role and have limited permissions.

Thanks a lot.

It explains everything.

Now I have accounts in CW "name.surname" but I have logon to AD using "name space surname" as a login name (even though my domain account is with "." ). Maybe you know how can I log to CW with admin provileges now and how can I resolve this problem with the login names ?

best regards

Tomek

The default Login fallback option is set to admin only, so you should be able to login with admin (it bypasses the AD if this username is not available in AD)

Otherwise you should reset the loginmodule, you should stop the crmdmgtd and run the resetlogin per script (NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl) and restart the daemon manager crmdmgtd

OK. I hope it's last question :)

Now I,m connected as admin. I've

configured login module options like:

Server: ldap://server.domain.com

Usersroot: ou=Information Technology, dc=domain, dc=com

Prefix: sAMAccountName=

And I can't logon. When I'm changing Prefix to cn= then I can login with name space surname. Anonynmous binding is enabled. Where can be a problem ?

In ldap browser a can see atribute: sAMAccountName=name.surname

thanks a lot

Tomek

Hi

We have recntly change LMS config to the Microsft Active Directory mode.

You say that the username should be found in LMS local database.

But when i create a new user i must fill the password field. What should i insert ? The policy in our company is to change regulary the password, so i will change the password in LMS too ?

Regards

The password (local userdatabase) is only used when the AD is not accessable/down e.g. You can however specify a fall-back user in case the AD is not available. Normally admin is being used. So if you want users to be able to login when AD is not available you should specify a password (which is statically or people should change their password on a regular base).

Ok. What is the right of the AD users ? How to define the role to technician or administrator ?

the authorization is done via the local ciscoworks lms database. So the username used in AD should be available in the local ciscoworks database with the appropriate user role. If no username found the user will be the helpdesk role and have limited permissions. If you have AAA mode (using CiscoSecure ACS) you can create other role with your own customization

So i must create the users of the AD in LMS local database in order to select which role i wish to give. The problem is the maintenance of the password up to date. It seems not to be a really friendly mode !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: