Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS can not access ADS-LDAP starting from "DC=..."


I have an ACS v4.2 from which I try to access an ADS LDAP directory. When I use "CN=Users,DC=Domain,DC=com" as the baseDN for the users and the groups everything works as it should. When I change the base DN to "DC=Domain,DC=com" only, then the ACS is not able to find any users or groups. Even when trying to configure the group mappings he claims: "LDAP Server NOT reachable. Please check the configuration.". Using an LDAP browser I don't have any issues accessing the directory from the shorter baseDN.

Is this a v4.2 related problem or a general ACS problem?

The point is that I need to find users in different OU's, which are based directly under the domain name, so that I need to search for them starting from "DC=Domain,DC=com". I know that with "Generic LDAP" I can make severeal "Databsae Configurations" to resolve the issue with the OU's. But not with a "RSA SecurID Token and LDAP Group Mapping" setup. There is only possible to have one LDAP group mapping configuration.

Any input would be greatly appreciated.

New Member

Re: ACS can not access ADS-LDAP starting from "DC=..."

Do you see any error messages in either ACS or the LDAP server? This configuration is supported and there are no known issues with ACS 4.2. We often see that there is a configuration issue either in ACS or the LDAP structure.

Please contact the TAC if there aren't any obvious error messages available.

New Member

Re: ACS can not access ADS-LDAP starting from "DC=..."

I don't see any reasonable log entries. Not in the ACS logs, not in the domaincontroller, which im accessing. Logs do look the same, when accessing both ways.

The parameters are correct, as the access works without any problems when using the longer baseDN. It doesn't when using the shorter baseDN. But it does again when using again the longer baseDN.

I will ask TAC. Let's see what they find out.

New Member

Re: ACS can not access ADS-LDAP starting from "DC=..."


did you ever resolve this problem? We are experiencing a similair problem.

New Member

Re: ACS can not access ADS-LDAP starting from "DC=..."


We invested a lot of time together with TAC and development. Short answer: No it's not solved. It was an ACS bug. But development didn't realy understand the problem. We went ahead and restructured the ADS.

The problem we had, is that a LDAP directory of a Windows is not fully accessible. Even if you connect as a Domain Administrator or to the Global Catalog. :-) And that's where the ACS fails. LDAP browsers just read over the unaccessible parts of a LDAP directory and show you all the accessible part. ACS doesn't. He stops and reports the failure. You can see that clearly when sniffing the access of the ACS and the LDAP browser to the directory. Unfortunately the unaccessible part is at the beginning of the ADS LDAP directory. :-(

Maybe they resolved the problem nowadays. Or if you have a Windows Guru who can help you in making the directory fully accessible I would be interessted in the How-To.

I wish you best luck with your issue.

Kind regards


CreatePlease to create content