Solved: Re: Integrate UCSD with AD using Custom LDAP Search Base

Jon Glennie · ‎11-10-2014

Hello All-

I am new to UCSD and am currently going through some intial configuration of it in our environment. One thing that I would liek to do is tie in UCSD with our AD servers to pull in user/group data and authenticate users. I went in to the Administration --> Users and Groups --> LDAP Integration tab and created a connection to our AD servers, however I can't seem to find where to specify the correct Search Base DN. If I click to modify the LDAP Search Base, I am presented with a window that has no entries to select and there are no buttons/manual entry options.

Where can I find the place to specify my LDAP search Base?

michzimm · ‎11-13-2014

Hi Jon,

What version of UCSD are you using? You can tell by clicking on the "About" label in the upper right hand corner of UCSD in your browser.

In the later versions of UCSD (I believe 5.0 and higher), you can define the Search Base as part of adding an AD/LDAP account to UCSD. So you provide the AD/LDAP server information/credentials, etc. and then hit Next and it should present you with the option to choose a "Search Base" before hitting Submit to add the AD/LDAP account.

If your AD/LDAP account appears to have been added successfully in UCSD, try highlighting the account in UCSD and using the "Test Connection" button. Some other guidelines to follow...

-Make sure to use FQDNs for the domain and AD/LDAP servers

-Make sure UCSD can resolve the above FQDNs through DNS

-Make sure the appropriate TCP/UDP ports are open between UCSD and AD/LDAP (389 LDAP or 636 for SSL LDAP)

-Make sure there is at least one OU created in AD, UCSD presents the available OUs as options for "Search Base".

If all is well with the above, next step would be to monitor the inframgr logs for UCSD to get some more detailed info as there may be a lower level exception or error occurring. To do this, SSH to the UCSD appliance as the "shelladmin" user (default passwd is "changeme") and there is an option in the menu to monitor the logs for UCSD. While monitoring the logs, go to UCSD UI and click the "Search Base" button again to open that dialogue. Any exceptions or errors should show in the logs at this point related to AD/LDAP and trying to retrieve the OUs from AD/LDAP...

Let us know what you find...hope that helps!

Thanks,

Mike

View solution in original post

michzimm · ‎11-13-2014

Hi Jon,

What version of UCSD are you using? You can tell by clicking on the "About" label in the upper right hand corner of UCSD in your browser.

In the later versions of UCSD (I believe 5.0 and higher), you can define the Search Base as part of adding an AD/LDAP account to UCSD. So you provide the AD/LDAP server information/credentials, etc. and then hit Next and it should present you with the option to choose a "Search Base" before hitting Submit to add the AD/LDAP account.

If your AD/LDAP account appears to have been added successfully in UCSD, try highlighting the account in UCSD and using the "Test Connection" button. Some other guidelines to follow...

-Make sure to use FQDNs for the domain and AD/LDAP servers

-Make sure UCSD can resolve the above FQDNs through DNS

-Make sure the appropriate TCP/UDP ports are open between UCSD and AD/LDAP (389 LDAP or 636 for SSL LDAP)

-Make sure there is at least one OU created in AD, UCSD presents the available OUs as options for "Search Base".

If all is well with the above, next step would be to monitor the inframgr logs for UCSD to get some more detailed info as there may be a lower level exception or error occurring. To do this, SSH to the UCSD appliance as the "shelladmin" user (default passwd is "changeme") and there is an option in the menu to monitor the logs for UCSD. While monitoring the logs, go to UCSD UI and click the "Search Base" button again to open that dialogue. Any exceptions or errors should show in the logs at this point related to AD/LDAP and trying to retrieve the OUs from AD/LDAP...

Let us know what you find...hope that helps!

Thanks,

Mike

Jon Glennie · ‎11-21-2014

Hi Michael-

That was it... I was thinking of the DOMAIN field as the domain for the user account, I.E. the DOMAIN\username for the account to use to connect to the AD servers. I kept looking at the fields I was using and thinking that I was using the FQDN everywhere, not making the connection in my mind that it wanted the actual FQDN of the domain and not just the username domain. The problem was particularly confusing as all of the connectivity tests returned successful results, even though I had the "incorrect" domain string specified. I had to get some assistance from Cisco to point out my blunder... Doh!

Once I removed the account and recreated it with the FQDN of the domain in the DOMAIN field, click the link for the LDAP search base returned a full list of all of my OU's and I was able to select the one I wanted.

michzimm · ‎11-21-2014

Hi Jon,

Glad you got it working! We can go back and look at the field labeling and see if we can’t make that label more clear, or possibly add a mouse-over with an example of what the input is looking for. Thanks for letting me know you got it working!

Thanks,

Mike

Michael Zimmerman

ENGINEER.TECHNICAL MARKETING

michzimm@cisco.com<mailto:michzimm@cisco.com>

Phone: +1 919 392 5320

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.