Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

UCS LDAP User Authentication Failed for Some Users

Introduction
Cisco UCS can be configured to authenticate user logins remotely using LDAP and various remote authentication providers, such as Active Directory. The Cisco UCS Manager CLI test commands can be used to verify the configuration of the Lightweight Directory Access Protocol (LDAP) provider or the LDAP provider group.

 

Problem
Not able to login with username "adm-user1" and "adm-user2". Following is the LDAP domain structure.

DC=company.domain.com
OU=Domain Administration
OU=Administrators
OU=germany
CN=adm-user1
CN=adm-user2
OU=Test-OU
CN=ucstestuser
CN=ucsadmingroup --> Member = adm-user1, adm-user2

Added a LDAP Provider,
binduser is adm-user1
baseDN = OU=Domain Administration,DC=company,DC=domain,DC=com
attribute = empty
filter = sAMAccountName=$userid
password for adm-user1 is set
group authorization/ recursive enabled

Can login with ucstestuser (read-only). Even after moving ucstestuser to ucsadmingroup and mapping that group, ucstestuser can access and have admin right. However adm-user1 and adm-user2 don't have access (User Authentication failed).

 

Software Versions
UCS Manager ver 2.2

 

Explanation
With remote authentication in UCS when a user logs in it uses a temporary account on the FI in the form of ucs-MyAuthDomain\myusername which is limited to a total of 32 characters.  If you shorten the authentication domain name defined in UCSM from domain.com to a shorter name like AD it will allow for utilization of a longer username.

For systems using remote authentication protocol, the authentication domain name is considered part of the user name and counts toward the 32-character limit for locally created user names. Because Cisco UCS inserts 5 characters for formatting, authentication will fail if the domain name and user name combined character total exceeds 27.

Refer to following guide for more details
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_1_chapter_01000.html

 

Resolution
In above case if you use user accounts with maximum 15 characters, it works and you are able to access. However if you use user accounts with 16 or more characters, it doesn't work and you get "User Authentication failed". This is because for login the FI a temp account which has a maximum number of characters set to 32, and this includes the domain name as well. To solve the issue reduce the number of characters in username or domain name.

When you change the native auth to LDAP and use local account to login do remember to prepend the local user name with local auth domain name.
Ex::
* From Linux / MAC machine
ssh ucs-<domain-name>\\<username>@<UCSM-IP-Address>
ssh -l ucs-<domain-name>\\<username> <UCSM-IP-address>
ssh <UCSM-IP-address> -l ucs-<domain-name>\\<username>
 

* From putty client
Login as: ucs-<domain-name>\<username>
NOTE Domain name is case sensitive and should match the domain-name configured in UCSM.

This document is based on following discussion
https://supportforums.cisco.com/discussion/12112711/ucs-manager-22-ldap-authentication

 

Related Information
Configuring LDAP AD for UCS 1.4.1 and above
Procedure to Gracefully Shutdown and Powerup UCS system

2722
Views
0
Helpful
0
Comments