04-10-2014 05:57 AM - edited 03-10-2019 09:37 PM
I recently changed my LDAP password to trouble shoot a TAC case I have open. After changing the LDAP password a test bind to server works, but when I try to retrieve attributes I get an error “could not read user attribute data: invalid admin credentials or security settings” and after three tries the AD account gets locked out. Before changing the password I had no issues retrieving attributes. Is there something else that needs to be done after changing an External Identity Source password?
Thanks In Advance!
04-10-2014 06:33 AM
What version of ISE are you running? In ISE version 1.2 up to to patch-6, there is an issue with retrieving AD groups:
The fix is to upgrade to patch-7
04-10-2014 06:54 AM
I am running v 1.2.8 and am using LDAP. The issue is when using LDAP and attributes are retrieved from some users, some user retrieval fails and some work.
Still curious on the password change though. I think its odd that before the password change on my LDAP service account I was able to retrieve attributes, but now i get that error and the AD account locks out.
Thanks for you info.
04-10-2014 09:09 AM
"I am running v 1.2.8 and am using LDAP"
How is that even possible that you're running 1.2.8? currently release is 1.2.0.899:
Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 1.2.0.899
Build Date : Wed Jul 24 07:37:31 2013
Install Date : Fri Feb 21 22:50:57 2014
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 5
Install Date : Sat Feb 22 00:59:41 2014
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 6
Install Date : Tue Mar 04 15:07:53 2014
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 7
Install Date : Sat Apr 05 11:46:30 2014
What patch level are you running? If you're running pre-patch 7, there is a bug with retrieving AD groups.
04-10-2014 09:48 AM
I am running 1.2.0.899.
04-10-2014 11:04 AM
what is the patch level? can you share the output of the "show version" command?
If it is less than 7, it is likely that you will have issues.
04-11-2014 07:52 AM
I fixed my issue. Apparently, when using LDAP or AD the password cannot be to complex. I created a les complex password and the issue was resolved. Hopefully this helps other folks in the future.
Version information of installed applications
---------------------------------------------
Root Patch VERSION INFORMATION
-----------------------------------
Version : 1.0.0 Vendor: Cisco Systems, Inc.
Build Date : February 06 2009 12:44PST
Cisco Identity Services Engine
---------------------------------------------
Version : 1.2.0.899
Build Date : Wed Jul 24 03:37:31 2013
Install Date : Fri Feb 7 02:59:40 2014
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 7
Install Date : Fri Mar 28 10:32:25 2014
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide