10-11-2022 03:52 AM - edited 10-11-2022 04:13 AM
Hello,
We have Cisco FMC, version is 7.0.1
I would like to configure access to the FMC based on AD Groups, integration done thought LDAP. At this moment we have 2 AD groups:
First - Full Access (Grant-FMC-Admin), Second - Read Only Security Analyst (Grant-FMC-ReadOnly)
You can see configuration on the screenshot.
There is test result:
As I have discovered, some users can login, some no. What is the problem?
Solved! Go to Solution.
10-11-2022 06:08 AM
The issue seems to be related to hitting the maximum limit of query size limit as stated on the error. I would try to use a more specific base DN instead of the root one, and also a base filter that would match all the queried users.
10-11-2022 04:47 AM
This looks for me more of AD side users need to verify they are in correct Group
compare working vs not working so you see the different in user profiles in AD ?
10-11-2022 07:05 AM
For example, User1 can be member of Grant-FMC-Admin\Grant-FMC-ReadOnly and this user will have correct assigned role. But User2 can be member of Grant-FMC-Admin\Grant-FMC-ReadOnly and this user can't login at all.
10-11-2022 06:08 AM
The issue seems to be related to hitting the maximum limit of query size limit as stated on the error. I would try to use a more specific base DN instead of the root one, and also a base filter that would match all the queried users.
10-11-2022 08:12 AM
I tried to be more specific, but situation is the same.
10-11-2022 08:14 AM
How and what do I need to check regarding these 67 users? These users are created in such way as another 550...
10-11-2022 08:45 AM
I don't personally think the issue is related to the users' attributes, I think it is just the size limit that is getting hits. Did you also try the base filter?
10-12-2022 05:53 AM
You was right, I done more specific Base DN and now works. Thanks.
10-12-2022 05:57 AM
Glad to hear this has been fixed now and you're welcome.
06-06-2024 07:35 AM
Hi,
I was able to find the method for the limitation to a specific group, but the result is still an error with found 0 users.
Opening connection to LDAP server - serverip:389 - CN="firepower management",CN="Managed Service Accounts",dc=domain,dc=com
Current TLS Require Cert: 0
binding
bind success
The directory server is up serverip:389
LDAP Server Primary Available
Search Filter Test...
Opening connection to LDAP server - serverip:389 - CN="firepower management",CN="Managed Service Accounts",dc=domain,dc=com
Current TLS Require Cert: 0
binding
bind success
starting search...
base :DC=domain,DC=com
filter :(memberof=CN="Managed Service Accounts",dc=domain,dc=com)
user :fmc-1
attrib :sAMAccountName
ldap_result: 0 -Success
found 0 entries...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide