Active Directory login issues

davidsherman · ‎10-13-2011

Hello,

We have been using AD via the LDAP provider to login to the UCSM web and cli interfaces successfully since 1.4 release. Recently, we added a new user to one of the AD groups that our LDAP group maps in UCSM points to and they could not login. We have debugged the issue down to the fact that the user has 12 characters in their username and it appears that UCSM will not allow an Active-Directory based login if your username has more than 11 characters. This limitation is not in place for local accounts, only Active-Directory logins. We have verified this issue occurs in multiple versions including 1.41j, 1.43l and 2.01m.

Has anyone else encountered this issue? Is this a known issue, and if so is there a known workaround or fix (other than shortening the username of course)?

Thanks!

-Dave

Daniel Laden · ‎10-13-2011

Dave,

You may be running into a variant of this bug.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto71695

Symptom:

When a customer uses external servers (radius,tacacs,ldap,etc) for UCSM authentication and the total characters for the username and domain combined exceed 28, UCSM will report that User Authentication has failed. External server has no record that a request was sent.

When user logs in with a name of combined 27 characters, it is shown in the remote authentication tab as ucs-AuthenticationDomain\UserName. The total length of this string is 32 characters which is the limit of a locally created username. UCS is adding 5 characters to the string 'ucs-' and '\'.

If the remote users are limted to 32 characters, the error message should state 'AuthenticationDomain'\'UserName' exceeds limit of 27 characters.

HTH,

Dan