Locked out of FIs after LDAP implementation

albert-jurado · ‎07-25-2014

Thankfully this is a lab environment.

We implemented LDAP authentication but now we cannot access the UCS manager. Authentication attempts fail when using either native or LDAP authentication.

Questions

1. We haven't attempted console access but does console access authenticate via the local database or will it revert to ldap?

2. Would we be able to remove the ldap settings if we have console access?

3. Or do we have to re-initialize the FIs?

Mohammed Majid Hussain · ‎07-25-2014

Hi Albert,

On the UCSM, is the console authentication set to ldap as well?

If yes, connect to the console port and the default authentication should fall back to local from ldap.

The below section includes scenario where native authentication was changed to LDAP and the user was locked out from UCSM, as well as when Console authentication is also set to LDAP

While trying to configure UCSM to allow for LDAP authentication, native authentication was changed to LDAP and the user was locked out from UCSM. How to recover from this situation ?
Answer
From the serial management console of the Primary FI<http://www.cisco.com/en/US/docs/unified_computing/ucs/hw/switch/install/connect.html#wp1028307>, run the following commands :

SJ-SV-1-16-2-A# scope security
SJ-SV-1-16-2-A /security # set authentication console local
SJ-SV-1-16-2-A /security # set authentication default local

Console authentication is also set to LDAP
In this case, you will have to stop IP connectivity to the LDAP server from the UCS FI's.

Option 1: Block IP connectivity in the network path between UCS FI's and LDAP server.

* Once the FI is unable to see the LDAP server at all on the network, meaning the FI does not have IP connectivity to the LDAP server, it will fail back to the local database regardless of the settings.
* If the network has a firewall between the FI's and the LDAP server, the administrator can block access to tcp port 389 (LDAP), or tcp port 3268 (Global Catalog which will satisfy schema lookups for LDAP Auth). Older systems may also need to block tcp port 636 (LDAPS / LDAP over SSL, which has since been depricated for startTLS over 389).
Option 2: Disconnect the management interface of the primary FI to force the system to login locally for console as this satisfies the condition to stop IP connectivity.

* Once you can access the PRIMARY Fabric Interconnect physically, follow the below steps.

1. Take out console and management cables from the port.
2. Connect your PC directly to your management interface.
3. Configure your PC to have the IP address in the same subnet as the FI's management IP address.
4. Make sure you can ping the FI from your PC.
5. SSH into the FI using either the FI IP or VIP.
6. Run the following commands:
# scope security
# set authentication console local
# set authentication default local
# commit-buffer

7. Verify the configuration by issuing the following command:
# show authentication
Console authentication: Local
Default authentication: Local
Role Policy For Remote Users: Assign Default Role
8. Put the original cable back into the management port and normalize.
9. Try to log in using the local credential.

Hope this helps.

Thanks,

Majid

jamestboeder · ‎03-02-2017

This really helped me, was going to panic, but found this article and it fixed it right away. Now back to the drawing board to get LDAP working on Cisco UCS.