cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1165
Views
0
Helpful
5
Replies

UCS Manager LDAP issue

johnyb2000
Level 1
Level 1

Hi guys,

Just wondering if anyone could help with an odd issue we seem to have come across with our UCS manager.  We have set it up to use LDAP authentication for log on which is working fine for four of our five team members however we have one user who although he is in exactly the same groups as the rest of us continually gets unautheticated user errors. 

We've done the usual of checking it is not his machine or setup and in the logs it doesn't even register an attempt at log on failing so not to sure what I can check so any thoughts would be very much appreciated!

We are using UCSM v2.1 (1e) in case that is relevant?

Many Thanks

John

1 Accepted Solution

Accepted Solutions

bruceperttunen
Level 1
Level 1

I had run into the same issue.  Turned out to be a bug in the firmware when DN's were too long.

CSCth96721

There is no longer a 128 character limitation to the number of OUs or the length of the Distinguished Name (DN) when using LDAP authentication with Active Directory.

http://www.cisco.com/en/US/docs/unified_computing/ucs/release/notes/UCS_28313.html

View solution in original post

5 Replies 5

padramas
Cisco Employee
Cisco Employee

Hello John,

Are you using MS AD ?

Please make sure that LDAP group map is referring to correct DN.

Anything special about non-working user account ?

Please turn on the following debugs and request the user to login.

connect nxos

debug aaa all

debug ldap all

debug aaa aaa-request

After login attempt, you can turn off the debugs by " undebug all " .

Please share the debug output.

Padma

Hi Padma,

Thanks for the reply, nope there is nothing special about this user that I can see and if I create a brand new user and just put it in domain admins and the LDAP group for UCS then it logs in just fine.

I have enabled the debugging options and get the user to try logging in but it doesn't even seem to register his attempt, another member of the team logs in and the log updates in front of me but when this other person does nothing comes up!  Very odd.

Many Thanks

John

Hello John,

Please save the SSH session output and then turn on the debug.

After the login attempt, please share the session log file.

Are all these users belong to same group as defined in LDAP group map ?

Thanks

Padma

bruceperttunen
Level 1
Level 1

I had run into the same issue.  Turned out to be a bug in the firmware when DN's were too long.

CSCth96721

There is no longer a 128 character limitation to the number of OUs or the length of the Distinguished Name (DN) when using LDAP authentication with Active Directory.

http://www.cisco.com/en/US/docs/unified_computing/ucs/release/notes/UCS_28313.html

Bruce you're a star, thank you.

Thanks again Padma for the offer, I was just popping on to post results when I saw Bruce's comment and did some testing, the non working account is 5 letters longer than any of our others which is apperently just enough to tip his DN over to too long!  Have created an account with Alex instead of Alexander as the name and he is up and running perfectly.

Much appreciated guys

John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: