Introduction Cisco UCS can be configured to authenticate user logins remotely using LDAP and various remote authentication providers, such as Active Directory. The Cisco UCS Manager CLI test commands can be used to verify the configuration of the Lightweight Directory Access Protocol (LDAP) provider or the LDAP provider group.
Problem Not able to login with username "adm-user1" and "adm-user2". Following is the LDAP domain structure.
Added a LDAP Provider, binduser is adm-user1 baseDN = OU=Domain Administration,DC=company,DC=domain,DC=com attribute = empty filter = sAMAccountName=$userid password for adm-user1 is set group authorization/ recursive enabled
Can login with ucstestuser (read-only). Even after moving ucstestuser to ucsadmingroup and mapping that group, ucstestuser can access and have admin right. However adm-user1 and adm-user2 don't have access (User Authentication failed).
Software Versions UCS Manager ver 2.2
Explanation With remote authentication in UCS when a user logs in it uses a temporary account on the FI in the form of ucs-MyAuthDomain\myusername which is limited to a total of 32 characters. If you shorten the authentication domain name defined in UCSM from domain.com to a shorter name like AD it will allow for utilization of a longer username.
For systems using remote authentication protocol, the authentication domain name is considered part of the user name and counts toward the 32-character limit for locally created user names. Because Cisco UCS inserts 5 characters for formatting, authentication will fail if the domain name and user name combined character total exceeds 27.
Refer to following guide for more details http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_1_chapter_01000.html
Resolution In above case if you use user accounts with maximum 15 characters, it works and you are able to access. However if you use user accounts with 16 or more characters, it doesn't work and you get "User Authentication failed". This is because for login the FI a temp account which has a maximum number of characters set to 32, and this includes the domain name as well. To solve the issue reduce the number of characters in username or domain name.
When you change the native auth to LDAP and use local account to login do remember to prepend the local user name with local auth domain name. Ex:: * From Linux / MAC machine ssh ucs-<domain-name>\\<username>@<UCSM-IP-Address> ssh -l ucs-<domain-name>\\<username> <UCSM-IP-address> ssh <UCSM-IP-address> -l ucs-<domain-name>\\<username>
* From putty client Login as: ucs-<domain-name>\<username> NOTE Domain name is case sensitive and should match the domain-name configured in UCSM.
This document is based on following discussion https://supportforums.cisco.com/discussion/12112711/ucs-manager-22-ldap-authentication