cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1363
Views
0
Helpful
2
Replies
Dawit Zeru
Beginner

Prime LMS 4.2.2 & LDAP problem

Hi Everyone,

I have an urgent question; I tried and succeeded to configure LMS with Active Directory (LDAP),

but every username in AD can enter the LMS,(by default the path to the users is cn=Users).

I tried to give a specific Folder in LMS under (Usersroot) for example:

Usersroot - {cn=iteam, dc=yyy, dc=yyy, dc=yyy}

and still all the users can login to the LMS.

I tried to set that only one username can login to the LMS (under {RDN-Prefix - cn=lmsldap} ) --> in the PIc' bleow

but it didn't help all the users the same problem all the users can login to the LMS.

Is there any way to configure that a specific group or users from AD can login to the LMS.

the Pic' is the attempt when I try to configure that only one user can login

First Attempt.jpg

please advisie

1 ACCEPTED SOLUTION

Accepted Solutions
jesper_petersen
Beginner

Hello Dawit

First of all - congratulation on even getting it to work I'm struggling to get LDAP to work... Haven't succeded yet.

As for your questions - see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/admin42ug.pdf

If you look at page 2-29 to 2-33 you will eventually find :

Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To

assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same

name

As I interpret it, then as long as a user is validated using LDAP he will be grated access with the Help Desk Role.

Have you tried to make an OU beneath Users called etc. LMS and then move a test user inside that OU?

You would have to adjust your Usersroot to something like ou=LMS,ou=users,dc=test,dc=local

I persoanlly just keep getting a :

javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'ou=Admin Accounts,ou=Admin-service accounts-Grupper, dc=XyZ, dc=local'

Where do I tell the LMS which username to do AD lookups with?

Sorry for the question in your question

View solution in original post

2 REPLIES 2
jesper_petersen
Beginner

Hello Dawit

First of all - congratulation on even getting it to work I'm struggling to get LDAP to work... Haven't succeded yet.

As for your questions - see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/admin42ug.pdf

If you look at page 2-29 to 2-33 you will eventually find :

Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To

assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same

name

As I interpret it, then as long as a user is validated using LDAP he will be grated access with the Help Desk Role.

Have you tried to make an OU beneath Users called etc. LMS and then move a test user inside that OU?

You would have to adjust your Usersroot to something like ou=LMS,ou=users,dc=test,dc=local

I persoanlly just keep getting a :

javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'ou=Admin Accounts,ou=Admin-service accounts-Grupper, dc=XyZ, dc=local'

Where do I tell the LMS which username to do AD lookups with?

Sorry for the question in your question

View solution in original post

Dawit and Jesper,

The key concept here is that (as of LMS 4) all Authorization is based on the local (to LMS) user role. The external identity store (LDAP, TACACS, etc.) is only for Authentication.

It used to be different with LMS 3.x and earlier using attributes form the external store to determine authorization but that feature was deprecated.