Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1524
Views
0
Helpful
2
Replies

Prime LMS 4.2.2 & LDAP problem

Go to solution
Dawit Zeru
Level 1
Level 1

‎10-11-2012 05:56 AM

Hi Everyone,

I have an urgent question; I tried and succeeded to configure LMS with Active Directory (LDAP),

but every username in AD can enter the LMS,(by default the path to the users is cn=Users).

I tried to give a specific Folder in LMS under (Usersroot) for example:

Usersroot - {cn=iteam, dc=yyy, dc=yyy, dc=yyy}

and still all the users can login to the LMS.

I tried to set that only one username can login to the LMS (under {RDN-Prefix - cn=lmsldap} ) --> in the PIc' bleow

but it didn't help all the users the same problem all the users can login to the LMS.

Is there any way to configure that a specific group or users from AD can login to the LMS.

the Pic' is the attempt when I try to configure that only one user can login

First Attempt.jpg

please advisie

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jesper_petersen
Level 1
Level 1

‎04-12-2013 05:24 AM

Hello Dawit

First of all - congratulation on even getting it to work I'm struggling to get LDAP to work... Haven't succeded yet.

As for your questions - see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/admin42ug.pdf

If you look at page 2-29 to 2-33 you will eventually find :

Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To

assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same

name

As I interpret it, then as long as a user is validated using LDAP he will be grated access with the Help Desk Role.

Have you tried to make an OU beneath Users called etc. LMS and then move a test user inside that OU?

You would have to adjust your Usersroot to something like ou=LMS,ou=users,dc=test,dc=local

I persoanlly just keep getting a :

javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'ou=Admin Accounts,ou=Admin-service accounts-Grupper, dc=XyZ, dc=local'

Where do I tell the LMS which username to do AD lookups with?

Sorry for the question in your question

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jesper_petersen
Level 1
Level 1

‎04-12-2013 05:24 AM

Hello Dawit

First of all - congratulation on even getting it to work I'm struggling to get LDAP to work... Haven't succeded yet.

As for your questions - see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/admin42ug.pdf

If you look at page 2-29 to 2-33 you will eventually find :

Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To

assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same

name

As I interpret it, then as long as a user is validated using LDAP he will be grated access with the Help Desk Role.

Have you tried to make an OU beneath Users called etc. LMS and then move a test user inside that OU?

You would have to adjust your Usersroot to something like ou=LMS,ou=users,dc=test,dc=local

I persoanlly just keep getting a :

javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'ou=Admin Accounts,ou=Admin-service accounts-Grupper, dc=XyZ, dc=local'

Where do I tell the LMS which username to do AD lookups with?

Sorry for the question in your question

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jesper_petersen

‎04-12-2013 06:29 AM

Dawit and Jesper,

The key concept here is that (as of LMS 4) all Authorization is based on the local (to LMS) user role. The external identity store (LDAP, TACACS, etc.) is only for Authentication.

It used to be different with LMS 3.x and earlier using attributes form the external store to determine authorization but that feature was deprecated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents