10-11-2012 05:56 AM
Hi Everyone,
I have an urgent question; I tried and succeeded to configure LMS with Active Directory (LDAP),
but every username in AD can enter the LMS,(by default the path to the users is cn=Users).
I tried to give a specific Folder in LMS under (Usersroot) for example:
Usersroot - {cn=iteam, dc=yyy, dc=yyy, dc=yyy}
and still all the users can login to the LMS.
I tried to set that only one username can login to the LMS (under {RDN-Prefix - cn=lmsldap} ) --> in the PIc' bleow
but it didn't help all the users the same problem all the users can login to the LMS.
Is there any way to configure that a specific group or users from AD can login to the LMS.
the Pic' is the attempt when I try to configure that only one user can login
please advisie
Solved! Go to Solution.
04-12-2013 05:24 AM
Hello Dawit
First of all - congratulation on even getting it to work I'm struggling to get LDAP to work... Haven't succeded yet.
As for your questions - see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/admin42ug.pdf
If you look at page 2-29 to 2-33 you will eventually find :
Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To
assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same
name
As I interpret it, then as long as a user is validated using LDAP he will be grated access with the Help Desk Role.
Have you tried to make an OU beneath Users called etc. LMS and then move a test user inside that OU?
You would have to adjust your Usersroot to something like ou=LMS,ou=users,dc=test,dc=local
I persoanlly just keep getting a :
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'ou=Admin Accounts,ou=Admin-service accounts-Grupper, dc=XyZ, dc=local'
Where do I tell the LMS which username to do AD lookups with?
Sorry for the question in your question
04-12-2013 05:24 AM
Hello Dawit
First of all - congratulation on even getting it to work I'm struggling to get LDAP to work... Haven't succeded yet.
As for your questions - see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/admin42ug.pdf
If you look at page 2-29 to 2-33 you will eventually find :
Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To
assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same
name
As I interpret it, then as long as a user is validated using LDAP he will be grated access with the Help Desk Role.
Have you tried to make an OU beneath Users called etc. LMS and then move a test user inside that OU?
You would have to adjust your Usersroot to something like ou=LMS,ou=users,dc=test,dc=local
I persoanlly just keep getting a :
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'ou=Admin Accounts,ou=Admin-service accounts-Grupper, dc=XyZ, dc=local'
Where do I tell the LMS which username to do AD lookups with?
Sorry for the question in your question
04-12-2013 06:29 AM
Dawit and Jesper,
The key concept here is that (as of LMS 4) all Authorization is based on the local (to LMS) user role. The external identity store (LDAP, TACACS, etc.) is only for Authentication.
It used to be different with LMS 3.x and earlier using attributes form the external store to determine authorization but that feature was deprecated.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: