Hi Richard,

rsobey001 · ‎11-17-2015

Hi all,

I'm trying to get LDAP (AD provider) authentication working for a new UCS Central deployment. I've followed the same set of tasks I have used to successfully get UCSM working, but I'm hitting a road block with UCSC.

I've read everywhere that to make it work you need to use a custom attribute, with the suggestion of CiscoAVPair given, BUT is this still relevant in the latest UCSC version? I was led to understand that the custom attribute was because LDAP group maps weren't supported in earlier UCSC ersions, but they are now.

Has anyone got this to work without using a custom attribute and, if so, are there any gotchas I need to be aware of?

Many thanks

Richard

rsobey001 · ‎11-19-2015

We fixed this by referencing a specific LDAP server rather than a set of servers through a VIP. The problem was that, in contrast to UCSM, UCSC is checking the SSL cert for an exact name match and clearly this was different.

Richard

Marcelo Morais · ‎11-19-2015

Hi Richard,

thanks for sharing (+5 for that!!!)

I was collecting some info that I would like to share for future references.

First of all, UCS Central latest release is version 1.3 (03/Nov/2015), version 1.0 (20/Nov/2012) describes the limitations of UCS Central remote authentication, that include the LDAP Group membership mapping for role assignment and LDAP Provider Groups for multiple Domain Controllers ... they are not supported (check the link LDAP Authentication Configuration Example for UCS Central).

Since version1.1(1b), LDAP Group maps is supported (check the link Release Notes for Cisco UCS Central, Release 1.1)

Take a look at the UCS Central v. 1.3 Managing Administrative Settings link ... take a special look at the: 'Table 1 Comparison of User Attributes by Remote Authentication Provider'.

Thanks again.

Do *need* custom LDAP attributes in 1.3(1b)?

Do need custom LDAP attributes in 1.3(1b)?