Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Locked out of DMM 5.3 server

HI all,

I was setting up the LDAP settings in the 5.3 DMM when I got called away from my desk. I was away longer than expected and the session timed out on me. I only got the LDAP admin account information entered and successfully connect when I stepped away. I didn't get any of the Define Filters set yet. When I found the session had timed out on me I logged in to the AAI and reset the superuser password with the pwadmin account, but i am still unable to log in. I bounced the box and I am still unable to log in with the superuser account. Any ideas?

To my understanding I should always be able to log in with the superuser account reguardless of the Auth method. Am I wrong for thinking this? In the user guide it says you can delete every user except the superuser. So I should be able to use that account to gain access anytime correct?

Any help would be much appreciated. If i have to reimage the box, I am lucky that I am just getting it set up and there is nothing on it yet....

Thanks,

JD

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Locked out of DMM 5.3 server

JD,

It looks like you are not able to log into the DMM using any account including “superuser” after integrating with LDAP.

 
Please try this URL to by-pass authentication for superuser:

http://:8080/dmsadmin/admin/login

Note it is http not https and port = 8080 not 8443, Once you are able to bypass the authentication, check if the LDAP syntax are proper.
 
è The special URL is used only in the case when there is an issue with authentication (LDAP or FEDERATION mode) , It is a backdoor to by-pass the authentication.

http://www.cisco.com/en/US/docs/video/digital_media_systems/5_x/5_2/dmm/user/guide/admin/auth.html#wp1234667

If you want to use Superuser account as a regular LDAP account, you can add the username “superuser” in your LDAP group from where you are getting the Users.
This release is more strict than any prior release in its enforcement of proper LDAP syntax. Now, when you specify the administrator DN, you must use proper syntax, which conforms exactly to LDIF grammar.
•Proper syntax: CN=admin1,OU=Administrators,DC=example,DC=com
•Poor syntax: EXAMPLE\admin1
OTHERWISE
When you use poor syntax here for the first time while your DMM appliance runs Cisco DMS 5.2.3, we show you, the administrator, this error message: "Invalid username or password."
But if you used and validated poor syntax in this way before
upgrading to Cisco DMS 5.2.3, we do not repeat the validation process. Therefore — even though we do not show an error message to anyoneLDAP users simply cannot log in.
FURTHERMORE
LDAP validation also fails now whenever any expression includes a space immediately to either side of:
–Any "=" sign.
–Any "objectClass" attribute.
Source : http://www.cisco.com/en/US/docs/video/digital_media_systems/5_x/5_2/dms/release/notes/dms52rn.html#wp246375

Let me know if you have any questions.

Thanks,

Sagar Dhanrale
 

2 REPLIES
Bronze

Locked out of DMM 5.3 server

JD,

It looks like you are not able to log into the DMM using any account including “superuser” after integrating with LDAP.

 
Please try this URL to by-pass authentication for superuser:

http://:8080/dmsadmin/admin/login

Note it is http not https and port = 8080 not 8443, Once you are able to bypass the authentication, check if the LDAP syntax are proper.
 
è The special URL is used only in the case when there is an issue with authentication (LDAP or FEDERATION mode) , It is a backdoor to by-pass the authentication.

http://www.cisco.com/en/US/docs/video/digital_media_systems/5_x/5_2/dmm/user/guide/admin/auth.html#wp1234667

If you want to use Superuser account as a regular LDAP account, you can add the username “superuser” in your LDAP group from where you are getting the Users.
This release is more strict than any prior release in its enforcement of proper LDAP syntax. Now, when you specify the administrator DN, you must use proper syntax, which conforms exactly to LDIF grammar.
•Proper syntax: CN=admin1,OU=Administrators,DC=example,DC=com
•Poor syntax: EXAMPLE\admin1
OTHERWISE
When you use poor syntax here for the first time while your DMM appliance runs Cisco DMS 5.2.3, we show you, the administrator, this error message: "Invalid username or password."
But if you used and validated poor syntax in this way before
upgrading to Cisco DMS 5.2.3, we do not repeat the validation process. Therefore — even though we do not show an error message to anyoneLDAP users simply cannot log in.
FURTHERMORE
LDAP validation also fails now whenever any expression includes a space immediately to either side of:
–Any "=" sign.
–Any "objectClass" attribute.
Source : http://www.cisco.com/en/US/docs/video/digital_media_systems/5_x/5_2/dms/release/notes/dms52rn.html#wp246375

Let me know if you have any questions.

Thanks,

Sagar Dhanrale
 

New Member

Locked out of DMM 5.3 server

I must have overlooked the bypass in the guide. that got me in. Thank you!

My string is as follows but names are changed for security but you get the idea:

CN=DMMAdmin,OU=DMM,OU=Cisco,OU=SAccounts,OU=UAccounts,DC=example,DC=org

I will see about adding the superuser account to the group.

Thanks Sagar!!

1289
Views
5
Helpful
2
Replies