Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

LDAP Authenticatin Problem on Call Manager 7.1.3b

My active directory is syncronized fine...

I can see all the users...

But When I try to login to call manger as user or as an administrator (CCM admin user group), it fails.

I have tick the box on ldap synchronization "use ldap authentication for end users"

1 ACCEPTED SOLUTION

Accepted Solutions
Red

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

By looking at the packet capture, the problem is still on LDAP side.

Here are the relevant packets:

#4 CUCM sent bindRequest to LDAP.  Username: eurobank\scanner.  Password: scanner1234$$
#5 LDAP sent successful response

#13 CUCM sent bindRequest to LDAP.  Username: CN=MLavrentakis, OU=Cyprus,OU=Employees,DC=Eurobank,DC=efg,DC=gr.  Password: !Log1234!
#14 LDAP sent failed response - "invalidCrdentials"

If you're sure the information was correct in packet #13, you should get your LDAP engineer to explain packet #14.

Thanks!

Michael

20 REPLIES

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Let's check 1 thing and then offer an alternative for the second and go from there:

1) Best practice is to use a separate account that is not an End User for CCM Admin access.  For these users, you should create an application user and this user will not be associated to users imported in via AD.

2) For End Users, verify that you have the Standard CCM End User group assigned and that you are logging into https:///ccmuser.

Post back with your findings and results.

Hailey

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

To add a little to Hailey's reply.  The way the authentication process works is as follows:

1. The user/application submits the user ID and password to CUCM (via whatever interface)

2. CUCM identifies the user as an End User (if End User and LDAP auth is enabled, then proceed)

3. CUCM performs an LDAP bind using the CUCM directory services account you configured when setting it up.  The bind attempt is made against the LDAP servers you have specified in the config.  Key point, CUCM has not authenticated the user yet.

4. CUCM queries the LDAP to resolve fully qualified name for the user ID provided in step 1

5. If all is well, LDAP replies with the full context name

6. CUCM then attemps a bind to LDAP using the full context name discovered in step 5 and the password provided in step 1 (binding as the user)

7. If LDAP accepts the credentials then the user is logged in.  From this point forward, LDAP is no longer involved with the user session

So, you need to check your authentication config to ensure the appropriate servers, searchbase, etc. are provided.  Usually, they are set to the same context as your synchronization agreement.  Unless, ofcourse, you have more than one sync agreement.  Then, the authentication user search base must be set at a level that encompasses all sync agreements.

Are using open or secure LDAP?  If secure, have you loaded the certs from LDAP?  If you have loaded the certs, have you restarted the tomcat service?

Are you dealing with multiple trees or child domains?

I would be guessing on other reasons at this point.

HTH.


Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

The application user account I created works perfect.

I have restarted the publisher server...but unfortunately, still I  cannot Login with AD user accounts!!

My integration is with active directory,  with parent and child domains. I am on a chid domain....

I am trying to login at the url:https://x.x.x.x/ccmuser

The strange thing is that the synchronization is fine, even I can search all my users on the corporate directory of the ip phones.

Thank you for your response.

Red

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Have you restarted the Tomcat service by using CLI command below?

utils service restart Cisco Tomcat

Michael

http://htluo.blogspot.com

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Check whether the ccmuserid you are using to login has privelege for end user

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Yep, I pointed this out in my earlier post - please verify that the end user accounts are members of the Standard CCM End User group.

Hailey

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Certainly they are in the standard CCM End Users Group.

Red

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Could you try this?

1) Type the following command in the CUCM CLI (command line interface)

utils service restart Cisco Tomcat

2) Wait until Tomcat started.  Try to log into CCMUser page

3) If it failed, collect "Cisco Tomcat Security" logs.  Make sure the time frame covers the last logon attempt.

Thanks!

Michael

http://htluo.blogspot.com

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

I have restarted the tomcat service, still the problem persists.

I am pasting the logs from the CUCM:

options: q=quit, n=next, p=prev, b=begin, e=end (lines 1561 - 1576 of 1576) :
[13/Jun/2010:00:00:03 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 67
[13/Jun/2010:00:00:24 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:00:44 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 4
[13/Jun/2010:00:01:05 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 16
[13/Jun/2010:00:01:26 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:01:46 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:02:07 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:02:27 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 5
[13/Jun/2010:00:02:47 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:03:07 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:03:28 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:03:48 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:08 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:29 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:04:49 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:05:09 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:05:30 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:05:50 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 2
[13/Jun/2010:00:06:10 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:00:06:31 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3

options: q=quit, n=next, p=prev, b=begin, e=end (lines 1 - 20 of 1576) :
[13/Jun/2010:07:57:14 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ciscologo.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/console.css  HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/vtgblaf_percent.css  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderBegLTR.gif  HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderMidLTR.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/HeaderEndLTR.gif  HTTP/1.1 304 - 1
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/transgif.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/themes/VtgBlaf/ciscoLogo12pxMargin.gif  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:18 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/images/masthead.jpg  HTTP/1.1 304 - 0
[13/Jun/2010:07:57:20 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:57:23 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/  HTTP/1.1 302 - 117
[13/Jun/2010:07:57:23 +0300] 213.149.163.227 213.149.163.227 admin - 443 GET /ccmuser/showHome.do  HTTP/1.1 403 7774 413
[13/Jun/2010:07:57:33 +0300] 213.149.163.227 213.149.163.227 - - 443 POST /ccmuser/WEB-INF/pages/errors/j_security_check  HTTP/1.1 200 8005 793
[13/Jun/2010:07:57:40 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:01 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:22 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3
[13/Jun/2010:07:58:42 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 4
[13/Jun/2010:07:59:02 +0300] 127.0.0.1 127.0.0.1 Ln95DAivi^ - 8080 GET /manager/list  HTTP/1.1 200 1222 3

end of the file reached
options: q=quit, n=next, p=prev, b=begin, e=end (lines 1561 - 1576 of 1576) :

Red

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

1) We need "Tomcat Security" logs, not "Tomcat" logs.

2) Please don't paste the content of the logs.  Instead use RTMT to collect logs and upload the files.

3) Please make sure the logs cover the time of the login attempt.

Thanks!

Michael

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Unfortunately the rtmt didn't work.

But I got the security logs from cli.

I am attaching the file....

Thank you in advance...

Red

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Obviously, user "CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr" failed the authentication.

Questions:

1) Is "CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr" a valid DN?  Could you go to the command prompt of the domain controller and get the screen output of "dsquery user -samid MLavrentakis"?

2) Could you check if the user account was locked on AD?  Check both "MLavrentakis" and "scanner".

To further investigate the problem, could you do a packet capture from CUCM?  Command as below:

utils network capture file cucm count 1000000 size all host all 10.211.20.127

Start the command above.  Try to log into CCMUser page.  Press Ctrl-C to stop capture.

Then use the commands below to collect logs:

1) Get Packet Capture:

file get activelog platform/cli/cucm.cap

2) Get Tomcat Security:

file get activelog tomcat/logs/security/log4j/security*.*

You'll need a SFTP server (such as http://www.freesshd.com/freeFTPd.exe) to receive the file.

Thanks!

Michael

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

1)The  output of the command "dsquery user -samid MLavrentakis" was:

CN=MLavrentakis,OU=Cyprus,OU=Employees,DC=eurobank,DC=efg,DC=gr

2) The accounts are not locked..

3) I am attaching the files you requested

Thank you in advance...

Red

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Based on packet #14 in the packet capture, LDAP server 10.211.20.127 is rejecting the credential you provided for MLavrentakis.  The error was "Invalid Credentials".  This error from LDAP server instead of Cisco CUCM.

If you're pretty sure the password you entered was correct, you may try the following:

1) Reset MLavrentakis' password to a simple one.  Retry login from CCMUser page.

If that didn't work, you may try:

2) Go to CUCM > System > LDAP > LDAP Authentication.

Change authentication port from 389 to 3268.

Restart Tomcat with CLI command "utils service restart Cisco Tomcat"

Retry login from CCMUser page.

Explanation:

Port 3268  is Global Catalog port and recommended for authentication purpose.

If neither of the above works, please get the packet capture again.  (you don't need Tomcat Security logs because we know the problem is NOT on Tomcat).

Thanks!

Michael

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Unfortunately I did not managed to login.

I am attaching the capture file.

I spoke as well with AD administrator and he told me that the userid I am using, is allowed to login int the cucm server.

Thank you in advance...

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

an obvious question but have you tried logging into a domain PC with the same credentials?

Red

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

By looking at the packet capture, the problem is still on LDAP side.

Here are the relevant packets:

#4 CUCM sent bindRequest to LDAP.  Username: eurobank\scanner.  Password: scanner1234$$
#5 LDAP sent successful response

#13 CUCM sent bindRequest to LDAP.  Username: CN=MLavrentakis, OU=Cyprus,OU=Employees,DC=Eurobank,DC=efg,DC=gr.  Password: !Log1234!
#14 LDAP sent failed response - "invalidCrdentials"

If you're sure the information was correct in packet #13, you should get your LDAP engineer to explain packet #14.

Thanks!

Michael

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

You are absolutely rigth!!!

The usernames and passwords are correct!!!

I can login with the same credentials in the domain....

It is obvious that the problem is AD and the permissions of these user accounts....

I need to focus on the AD ...

Your recomendations and troubleshooting were excellent!!!

Thank you very much for your help michael!!!

New Member

LDAP Authenticatin Problem on Call Manager 7.1.3b

The reason directory sync works and this doesnt is because end user auth is completely seperate from directory sync. I had a similar problem and the cuase was that the end user was on a child domain that didnt share a root with the auth server i was using. the server was on xyz.com and the user abc.com. The fix for me was changes the user search base from "DC=xyz,DC=com" to "DC=com" and change the port i was using from 389(ldap port) to 3268(global catalog port). This doc also helped.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/directry.html#wp1070369

New Member

Re: LDAP Authenticatin Problem on Call Manager 7.1.3b

Have you mapped a different LDAP attribute to the CM User ID.  For example, under LDAP System, if your LDAP attribute for the User ID is set to "telephone number" then your CM login user ID is the telephone number set int he AD user account.

just something to look for....?

3008
Views
0
Helpful
20
Replies