Cisco UCS intergration with Active Directory

Vincent Britton · ‎04-24-2013

I am looking to configure my New UCS with Active Directory.

I know I need to create teh CiscoAVPair attribute in the AD Schema, but where?

Can I do it on the group that my UCS Admins reside? We have several UCS deployements running older verions of UCSM that predated this requirement. Can I just add the CiscoAVPair Attribute to the admin groups?

Better yet can I create a group "UCS Access" with this setting and nest that group into "UCS Admins" and "UCS KVM" groups?

Robert Burns · ‎04-24-2013

You no longer need to modify the AD scheme as of 1.4 or later. There's plenty of guides on how to design/configure it including:

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/sample_configurations/UCSM_1_4_LDAP_with_AD/b_Sample_Configuration_LDAP_with_AD.pdf

Regards,

Robert

Vincent Britton · ‎04-24-2013

Sir, no disrespect but I am seeing the exact opposite of what you are saying.

I have my UCS configured with Group Maping ubt when a admin connects they are also given read-only access, which what I have found indicates that CiscoAVPair is not set correctly?

Robert Burns · ‎04-24-2013

Which version are you running?

In short, you create AD Groups on your DC, then add your AD users to the Group

Ex.

UCSadmin

User1

UCSaaa

User2

User3

UCSnetwork

User4

Then in UCSM, you setup your Authentication profile, LDAP providers, and the Group map which create the bind between the UCS role and AD user Group

AD Group UCSadmin >>>> UCS Admin role

AD Group UCSaaa >>> UCS aaa role

AD Group UCSnetwork >>>> UCS network role

This allows any AD authenticated users to be assigned the approrpiate UCS role.

If you're running 2.0 or later you definately don't need to touch the schema.

Robert

Robert Burns · ‎04-24-2013

Please review/watch this video. It should walk you through the process.

https://supportforums.cisco.com/videos/1720

Regards,

Robert

Vincent Britton · ‎04-24-2013

I have authentication working. This is the 3rd UCS I have deployed (first with 2.1 installed though).

I can authenticate, but when I connect it shows I have admin and read-only rights.

Robert Burns · ‎04-24-2013

That's fine. Any users who successfully authenticates to UCSM gets read-only. It's the lowest privelidge. Since you also have the "admin" role that will superceed the read-only privilege.

Regards,

Robert

Vincent Britton · ‎04-26-2013

Thank you for this information, it indeed put me down the right path!

Turned out the person who put in the CN for the group mapping had a typo in the admin mapping, while the admin user (me) was also a member of the KVM group that has read-only privilages. So what I did was delete the KVM group map and then was unable to authenticate any longer, then I figured out the typo in the admin mapping.

So my new question would be, is there a more graceful way to validate group maps?

NaelShahid_2 · ‎04-26-2013

Could I hijack this discussion and ask how we get ldap auth to also work when accessing the CLI?

Robert Burns · ‎04-26-2013

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/cli/config/guide/2.0/b_UCSM_CLI_Configuration_Guide_2_0.pdf

Page 141

Robert

NaelShahid_2 · ‎04-26-2013

Thanks again!