Solved: Re: UCS Manager and Active Directory integration - Page 2

simon.geary · ‎04-01-2010

I am looking to create an LDAP authentication provider in UCS manager that will authenticate users against Active Directory. I see from the UCS configuration guide that a schema change is required to add a new attribute to user accounts, and the guide details what the new attribute should be. However there are no detailed instructions on how to make the change in AD. I imagine some sort of LDIFDE import is required but does anyone have more detailed steps on how to do this?

Thanks

Jeremy Waldrop · ‎01-29-2011

Correct, you no longer have to extend the schema, check out this guide on how to configure it.

https://supportforums.cisco.com/docs/DOC-14642

HAROLD MEIER · ‎01-31-2011

We just upgraded to 1.4 last night, so I'll be looking into the process and reporting any gotchas in the documentation.

David McFarland · ‎01-31-2011

Harold,

I've gone through a few of thes setups at various sites and have found two common issues that are being run into:

1) Now is not the time to enable SSL. Do this as a separate exercise. It is more involved than "tic-ing" SSL enable

2) Make sure your BindDN account/password is working. There is no indication in the UCS GUI that the BindDN account and password is valid and correct. It will just fail later when you attempt to authenticate with a user account. The BindDN account must be able to browse the AD tree. It must be at least a read-only account. It does not need admin privs.

As I collect more feedback, I'll upgrade the guide.

HAROLD MEIER · ‎02-02-2011

David,

The only thing that got me was I was migrating from a 1.3 working LDAP config to a group-based 1.4 LDAP config. The existing LDAP providers were not group-enabled, and there was no way in the GUI to enable them after the fact. It may have been possible using the CLI, but I deleted and recreated the providers one by one, and I was able to group-enable them at that time.

As far as setting up SSL, you're absolutely right. If you're starting from scratch wait till you have it working, then try SSL. It appears that the SSL setup with Trusted Points and Key Rings has not changed. When I checked the SSL box on the re-created providers it just worked. So from an upgrade perspective that's good. I'm assuming that the initial setup hasn't changed from the above guide, so it's still a bit complex to get going the first time.

Lastly thanks for the tip to install a local Authentication Domain before testing out the new config. That's a life saver.

alberto.yanes · ‎08-08-2011

I have LDAP authentication working with no problem but I need to enable SSL.

After everything was working, I went back and checked the enable SSL checkbox and I lost connectivity with the server.

I also try changing the port from 389 to 636 and got same results.

Anyone knows/has the procedure to enable SSL?? maybe I am missing something on the AD side.

Thanks,

Alberto

rshughes80 · ‎10-10-2012

Thanks Harold. We successfully implemented this with only installing the root CA for our forest. Thanks!

cy-harrild · ‎10-20-2012

This may seem a bit academic at this point but why use LDAP against Active Directory, which requires a schema extension and heap of messing around, when RADIUS takes a whole lot less time to implement, ties policies to AD groups and can be made to service other devices (like Cisco MDS)?