cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29281
Views
0
Helpful
8
Replies

Problem with LDAP authentication for one user

JJMakowski
Level 1
Level 1

Hi all.

We have a CUCM 9.1 cluster set up with IMP v9.1.

We set CUCM up with LDAP to Microsoft AD for user synch and authentication.  Jabber logs in to IMP through CUCM integration and the CUCM LDAP authentication.

We have one user who cannot log in to Jabber.  They get a "Username or Password is incorrect" error.  This user CAN log in to the IMP which is set for Single Sign-On via an Open-AM server.

Open-AM is only used for the web services in the IMP server.  Jabber cannot use SSO yet.

This user also CANNOT log in to the ccmuser page on CUCM.  They get "An LDAP error has occurred".

This user has no problem logging in to their workstation with their AD login and password.  They have no problem logging in to their Unity Connection voicemail user page (ciscopca) with their AD username and password.

This problem only seems to affect them authenticating through CUCM (which IMP uses as well).

For other users there is no problem.  AD accounts work in all UC applications.  It's just this one user.

Their username is long, but not the longest in the company.  No special characters or anything.  Three of us have looked at the End User account in CUCM and the AD account itself.  Absolutely nothing seems amiss with either.

I even removed the End User from "Standard CCM End Users" and "Standard CTI enabled" and then added them back, yet they still cannot log on.

Any suggestions on what to check?

Thanks,

Jim Makowski

Senior Systems Analyst

Mathematica Policy Research, Inc.

1 Accepted Solution

Accepted Solutions

dakeller
Cisco Employee
Cisco Employee

Jim,

Since this is on UCM 9.1, I would recommend opening a TAC case to resolve this issue.  But I might be able to offer some guidance.  Since it's only this user, that indicates there is something specific to this user that is causing the issue. The Jabber login failure is concerning, but the CCM User page login is the one that worries me more.  Are you sure that there is only one user with that name.  Can you check that a similar user name is not in the application user list (vs the end user list).  Also, if you name a rather innocuous change on LDAP, do you see that change propagated into CUCM?  When an LDAP users is synched into CUCM, we keep the LDAP synch info for updates and removal if the synch agreemeent.  Also, is the user marked as a local user?  Although a local user and LDAP user with the same last name and userid will coalesce into a single LDAP synched user, if there is a name difference, you may have a second user that is being matched against the login attempt.  

If this is not the case, I recommend contacting TAC and opening a case to get the issue resolved.

Thanks,

Dan Keller

Technical Marketing Engineer

View solution in original post

8 Replies 8

dakeller
Cisco Employee
Cisco Employee

Jim,

Since this is on UCM 9.1, I would recommend opening a TAC case to resolve this issue.  But I might be able to offer some guidance.  Since it's only this user, that indicates there is something specific to this user that is causing the issue. The Jabber login failure is concerning, but the CCM User page login is the one that worries me more.  Are you sure that there is only one user with that name.  Can you check that a similar user name is not in the application user list (vs the end user list).  Also, if you name a rather innocuous change on LDAP, do you see that change propagated into CUCM?  When an LDAP users is synched into CUCM, we keep the LDAP synch info for updates and removal if the synch agreemeent.  Also, is the user marked as a local user?  Although a local user and LDAP user with the same last name and userid will coalesce into a single LDAP synched user, if there is a name difference, you may have a second user that is being matched against the login attempt.  

If this is not the case, I recommend contacting TAC and opening a case to get the issue resolved.

Thanks,

Dan Keller

Technical Marketing Engineer

Dan,

Thanks for responding.  There is only one user with this name. There are no similar Application Users and no other even remotely similar End User.

I made an innocuous change (to the Department field) and did a re-sync of AD.  The change did propagate to CUCM.  The user still cannot log in to Jabber or the CCM User page.

The user is not marked as a Local User, the User Status is "Active LDAP Synchronized User ".

I will open a case with TAC.

Thanks for the guidance though.

Jim,

Yes at this time, there will need to a be a deeper investigation into this specific user to see why the issue persists.  I'm sure trace files will need to be checked.  Based on what you are indicating, it almost sounds like there is an LDAP config that my prevent the user from logging in, but that does not absolve the UCM from having the issue.  If you can update this thread after working with TAC, I would appreciate the update.

Thanks,

Dan Keller

Technical Marketing Engineer

Hi Dan

I have had similar problem with occasional users on CUCM 8.0.3/CUPS 8.6.4

Symptoms

1. User CANNOT log in to Jabber

2. User can log in to CUCM user page (/ccmuser)

3. User can log in to Unity Conn (/ciscopca)

4. User can log in to CUP user options (/cupuser)

5. Examination of LDAP attributes (ldifde dump) shows surname (or other LDAP attribute) has non human readable value (i.e. Txfy=0023nDncY)

Actions

1. Correct the LDAP entry and resync CUCM with LDAP, user still unable to log in to Jabber.

2. Rename the AD user alias (sAMAccountName) and resync CUCM with LDAP, user NOW able to log in to Jabber

2. Rename the AD user alias (sAMAccountName) to the original name and resync CUCM with LDAP, user is still able to log in to Jabber.

This leads me to believe there is something in LDAP that Jabber 4 Windows did not like, even after the obvious value was corrected.

Thanks

Steve Fall

UC Architect

Harman International

Hi James,

Did you resolve this issue?

I have a similar issue with one user on a new cluster. All others are fine.

Any update is appreaciated.

Cheers

Oli

cnuche
Cisco Employee
Cisco Employee

Hi,

First of all, please make sure the user id, first name, last name, etc do not have any special characters.

Next, make sure that none of the values on the user entry or the CCMAdmin user's config page have the string 'href' / 'HREF' or 'eval' / 'EVAL' or 'pkid' / 'PKID' on it, those are reserved word for the system.

HTH.

Christian Nuche.

Cisco TAC

hello,

can u pls advise what was the resolution ?

Junaid Muhamed
Level 1
Level 1

Having same issue (One user facing issue). (With LDAP for Wireless Authentication). 

Solution - User was having Special character "=" in password. resetting password with out "=" sign worked.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: