Cisco Works and MS Active Directory authentication

tmowinski · ‎07-22-2008

Hi

I have configured Common Services to use AD - ldap authentication. And it works but now after logon, I don't have sufficient privileges to change anythings in CiscoWorks (for instance I can't change aaa parameters now). Is another way to logon local or I have to disconect CW server from ldap server ? How CW give provileges to account from AD ?

thanks in advance

Tomek

vergeerf · ‎07-22-2008

the authorization is done via the local ciscoworks lms database. So the username used in ldap should be available in the local ciscoworks database with the appropriate user role. If no username found the user will be the helpdesk role and have limited permissions.

tmowinski · ‎07-22-2008

Thanks a lot.

It explains everything.

Now I have accounts in CW "name.surname" but I have logon to AD using "name space surname" as a login name (even though my domain account is with "." ). Maybe you know how can I log to CW with admin provileges now and how can I resolve this problem with the login names ?

best regards

Tomek

vergeerf · ‎07-22-2008

The default Login fallback option is set to admin only, so you should be able to login with admin (it bypasses the AD if this username is not available in AD)

Otherwise you should reset the loginmodule, you should stop the crmdmgtd and run the resetlogin per script (NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl) and restart the daemon manager crmdmgtd

tmowinski · ‎07-22-2008

OK. I hope it's last question :)

Now I,m connected as admin. I've

configured login module options like:

Server: ldap://server.domain.com

Usersroot: ou=Information Technology, dc=domain, dc=com

Prefix: sAMAccountName=

And I can't logon. When I'm changing Prefix to cn= then I can login with name space surname. Anonynmous binding is enabled. Where can be a problem ?

In ldap browser a can see atribute: sAMAccountName=name.surname

thanks a lot

Tomek

MathieuJM_2 · ‎09-08-2008

Hi

We have recntly change LMS config to the Microsft Active Directory mode.

You say that the username should be found in LMS local database.

But when i create a new user i must fill the password field. What should i insert ? The policy in our company is to change regulary the password, so i will change the password in LMS too ?

Regards

vergeerf · ‎09-08-2008

The password (local userdatabase) is only used when the AD is not accessable/down e.g. You can however specify a fall-back user in case the AD is not available. Normally admin is being used. So if you want users to be able to login when AD is not available you should specify a password (which is statically or people should change their password on a regular base).

MathieuJM_2 · ‎09-08-2008

Ok. What is the right of the AD users ? How to define the role to technician or administrator ?

vergeerf · ‎09-08-2008

the authorization is done via the local ciscoworks lms database. So the username used in AD should be available in the local ciscoworks database with the appropriate user role. If no username found the user will be the helpdesk role and have limited permissions. If you have AAA mode (using CiscoSecure ACS) you can create other role with your own customization

MathieuJM_2 · ‎09-08-2008

So i must create the users of the AD in LMS local database in order to select which role i wish to give. The problem is the maintenance of the password up to date. It seems not to be a really friendly mode !