Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

users in LDAP subcontainers

users in LDAP subcontainers

Hi,

I have a set of users who exist in an subcontainer within our LDAP, and who cannot sign into RequestCenter because of this.  I'm just wondering if anyone else has ever come across this issue, and how you might have gotten around it.

Most of our users are in the main ACTIVE.USERS container, then there are some in a subcontainer, let's call it SUB1.ACTIVE.USERS.

On the login event, for the external authentication step, we have our EUABindDN set to: cn=#LoginID#,ou=ACTIVE,ou=USERS............

This works for all users in the main container, but not for users in the subcontainer.  If I then modify the EUABindDN to read: cn=#LoginID#,ou=SUB1,ou=ACTIVE,ou=USERS.......I can then sign in as a user in the subcontainer, but not as a user in the main container.  I just can't configure it to handle both.  I also can't strip back the BindDN to just give it cn=#LoginID#, it won't work and complains when I try.

Any thoughts/comments welcome!  (We are RC2008.3 SP3)

Everyone's tags (1)
7 REPLIES
New Member

users in LDAP subcontainers

Hi Kelly,

We had the same issue, all user accounts where supposed to be in container but this was not the case. We got round it by searching from the top level of the ldap, it would basically then traverse the entire ldap when authenticating the users.

With this solution however it will degrade performance as it has to search through the entire ldap structure. We found this to be acceptable and we have around 10,000 user accounts to search through.

This setting to change would be in the

New Member

users in LDAP subcontainers

I haven't tested this, but can you set up two datasources, each with a different BindDN?

users in LDAP subcontainers

We have a pretty varied OU structure across multiple sub-domains and so we had to get a custom SSO event built by professional services.  In our Directories config however, we set our bind dn to be the highest level in the parent domain.  Essentially DC=domain,DC=org

New Member

users in LDAP subcontainers

Hi Kelly,

I don't think you should be required to change the EUABindDN on the login event, here is an example of our setup including the EUABindDN setting.

DataSource Config:

UserBaseDN : DC=example,DC=com

Login Event Config for Import Person:

EUABindDN : #LoginId#@example.com  (the LoginId is case sensitive)

Hope this helps.

users in LDAP subcontainers

Hi,

Dave - you can setup two datasources, yes, each with a different user baseDN, but then when you try to configure the login event, using external authentication, there can only be one EUABindDN, and this appears to be my problem - I can't put a value in here that will be suitable for the main and the subcontainer at the same time.

 

Craig - I've tried changing the user baseDN and also the EUABindDN on the login event, but I'm not having any luck in getting this working, unfortunately

users in LDAP subcontainers

Thanks to all fo your input, looks like we do need some custom code to achieve what we need.  Shame the product doesn't handle this use case.

users in LDAP subcontainers

Enrico - newScale
4:34pm, May 18

Kelly, I opened feature request TD27426 on your behalf.

506
Views
0
Helpful
7
Replies