11-17-2015 03:43 AM - edited 03-01-2019 12:27 PM
Hi all,
I'm trying to get LDAP (AD provider) authentication working for a new UCS Central deployment. I've followed the same set of tasks I have used to successfully get UCSM working, but I'm hitting a road block with UCSC.
I've read everywhere that to make it work you need to use a custom attribute, with the suggestion of CiscoAVPair given, BUT is this still relevant in the latest UCSC version? I was led to understand that the custom attribute was because LDAP group maps weren't supported in earlier UCSC ersions, but they are now.
Has anyone got this to work without using a custom attribute and, if so, are there any gotchas I need to be aware of?
Many thanks
Richard
11-19-2015 07:38 AM
We fixed this by referencing a specific LDAP server rather than a set of servers through a VIP. The problem was that, in contrast to UCSM, UCSC is checking the SSL cert for an exact name match and clearly this was different.
Richard
11-19-2015 07:59 AM
Hi Richard,
thanks for sharing (+5 for that!!!)
I was collecting some info that I would like to share for future references.
First of all, UCS Central latest release is version 1.3 (03/Nov/2015), version 1.0 (20/Nov/2012) describes the limitations of UCS Central remote authentication, that include the LDAP Group membership mapping for role assignment and LDAP Provider Groups for multiple Domain Controllers ... they are not supported (check the link LDAP Authentication Configuration Example for UCS Central).
Since version1.1(1b), LDAP Group maps is supported (check the link Release Notes for Cisco UCS Central, Release 1.1)
Take a look at the UCS Central v. 1.3 Managing Administrative Settings link ... take a special look at the: 'Table 1 Comparison of User Attributes by Remote Authentication Provider'.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide