Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

UCS Manager 2.2 - LDAP Authentication

Hi,

I have some general questions about authentication with LDAP and UCS Manager.

I hope this is unterstandable..

We have the following structure:

  • DC=company.domain.com
    • OU=Domain Administration
          • OU=Administrators
            • OU=germany
              • CN=adm-user1
              • CN=adm-user2
          • OU=Test-OU
            • CN=ucstestuser
            • CN=ucsadmingroup --> Member = adm-user1, adm-user2

      I added a LDAP Provider,

      binduser is adm-user1

      baseDN = OU=Domain Administration,DC=company,DC=domain,DC=com

      attribute = empty

      filter = sAMAccountName=$userid

      password for adm-user1 is set

      group authorization/ recursive enabled.

      I did not add some attributes or map the group. Now I can login with ucstestuser (read-only), but not with adm-user1 oder adm-user2.

      If I add ucstestuser to ucsadmingroup an map that group, ucstestuser can access and have admin right, adm-user1 and adm-user2 don't can access (User Authentication failed).

      I don't understand, why ucstestuser can access and the other users in another OU not. The BaseDN is Domain Administration, so UCSM should see all three users, not?

      Can someone help? Thanks.

      /Danny

      1 ACCEPTED SOLUTION

      Accepted Solutions
      Cisco Employee

      UCS Manager 2.2 - LDAP Authentication

      With remote authentication in UCS when a user logs in it uses a temporary account on the FI in the form of ucs-MyAuthDomain\myusername which is limited to a total of 32 characters.  If you shorten the authentication domain name defined in UCSM from domain.com to a shorter name like AD it will allow for utilization of a longer username.

      Note

      For systems using remote authentication protocol, the authentication domain name is considered part of the user name and counts toward the 32-character limit for locally created user names. Because Cisco UCS inserts 5 characters for formatting, authentication will fail if the domain name and user name combined character total exceeds 27.

      http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_1_chapter_01000.html

      3 REPLIES
      Community Member

      UCS Manager 2.2 - LDAP Authentication

      Hi again,

      I found the problem:

      If you use user accounts with maximum 15 characters, it works and you can access.

      If you use user accounts with 16 or more characters, it doesn't work and you get "User Authentication failed".

      Now, Cisco, please tell me, is this a bug or a feature?

      /Danny

      Cisco Employee

      UCS Manager 2.2 - LDAP Authentication

      With remote authentication in UCS when a user logs in it uses a temporary account on the FI in the form of ucs-MyAuthDomain\myusername which is limited to a total of 32 characters.  If you shorten the authentication domain name defined in UCSM from domain.com to a shorter name like AD it will allow for utilization of a longer username.

      Note

      For systems using remote authentication protocol, the authentication domain name is considered part of the user name and counts toward the 32-character limit for locally created user names. Because Cisco UCS inserts 5 characters for formatting, authentication will fail if the domain name and user name combined character total exceeds 27.

      http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_1_chapter_01000.html

      Community Member

      UCS Manager 2.2 - LDAP Authentication

      Thanks. Solved my problem. Didn't know that the "domain name" counts, too.

      regards

      /Danny

      1309
      Views
      10
      Helpful
      3
      Replies
      CreatePlease to create content