Version 8.0.0-671 issue

Jason Meyer · ‎07-19-2013

Just a FYI that after installing 8.0.0-671 on C670s I ran into an issue where it does not support userIDs longer than 16 characters. This was allowed in previous versions as I have admins that use LDAP authentication with usesrIDs longer than 16 characters.

So far I find nothing in the documentation indicating that this is changing.

I've created local accounts for these users as a work around.

Just a FYI.

Ken Stieers · ‎07-19-2013

Hey Jason,

8.0.0 is still FCS, so they're still working on it... did you file a TAC case and get a bug number?

Ken

Jason Meyer · ‎07-19-2013

I have not filed a case on it.

Luis Silva Benavides · ‎07-23-2013

Hi Guys,

This is by design. This limitation actually existed also in earlier versions, but there was no explicit message in GUI, which was added in 8.0.0 version.

There was defect CSCzv27500 where it was noticed quite some time ago that CLI cannot handle external users with username longer than 16 characters. GUI could, but in certain conditions. As it's consider that 16 characters for username should be more than enough for most of customers, our engineering decided to keep this limitation for GUI and for CLI in all circumstances and to add warning message to lower the number of characters for usernames in case it's higher than 16.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva

Jason Meyer · ‎07-25-2013

Well that is unfortunate, we have an admin that has a Active Directory user name longer than 16 characters.

Is creating a local account for these users the only work around?

Will this impact Active Directory tied SPAM Quarantine access on M670s? I have 18k users that login to my appliance that way and guessing a few hundred with names longer than 16 characters.

Luis Silva Benavides · ‎07-25-2013

Hi,

I would say an AD user or local acount with less characters.

I haven't test it for SPAM quarantine on the SMA honestly.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva

michael.viton · ‎02-04-2014

I too have this issue.

This is a bit disapointing. We have numerous admins at different levels and everythign is tied to AD/LDAP. How is it even acceptable to allow only 16 characters?

We have nearly 20K users in the SPAM Quarantine and any update on functionality here would be great.

And if it does not effect quarantine, then there is inconsistancey there.

Jason Meyer · ‎02-04-2014

On our M670 now running 8.1.1-013 the user name limit does not affect users logging into the SPAM quarantine via a LDAP authentication. I have a user with a 17 character AD login and can login to SPAM quarantine successfully.

However, this same user is also an IronPort administrator and cannot login to the administrative GUI with this same account.

Stephan Bayer · ‎02-10-2014

Jason,

I have seen this fix the issue:

Symptoms

External Authentication (GUI admin access) worked before upgrading to 8.0

Solution:

Navigate to: GUI>System Administration>LDAP
Open your LDAP profile
Under LDAP Server Settings > Server type, explicitly define your server type i.e. "Active Directory" or "OpenLDAP"
Submit
Commit Changes

hope this helps!

Jason Meyer · ‎02-12-2014

Appreciate the input but my LDAP configuration is already set to type Active Directory, which is what I'm connecting to.