Solved: UCS Manager 2.2 - LDAP Authentication

Danny Sandner · ‎02-25-2014

Hi,

I have some general questions about authentication with LDAP and UCS Manager.

I hope this is unterstandable..

We have the following structure:

DC=company.domain.com
- OU=Domain Administration
  - OU=Administrators
    - OU=germany
      - CN=adm-user1
      - CN=adm-user2
  - OU=Test-OU
    - CN=ucstestuser
    - CN=ucsadmingroup --> Member = adm-user1, adm-user2

I added a LDAP Provider,

binduser is adm-user1

baseDN = OU=Domain Administration,DC=company,DC=domain,DC=com

attribute = empty

filter = sAMAccountName=$userid

password for adm-user1 is set

group authorization/ recursive enabled.

I did not add some attributes or map the group. Now I can login with ucstestuser (read-only), but not with adm-user1 oder adm-user2.

If I add ucstestuser to ucsadmingroup an map that group, ucstestuser can access and have admin right, adm-user1 and adm-user2 don't can access (User Authentication failed).

I don't understand, why ucstestuser can access and the other users in another OU not. The BaseDN is Domain Administration, so UCSM should see all three users, not?

Can someone help? Thanks.

/Danny

Brian Morrissey · ‎02-25-2014

With remote authentication in UCS when a user logs in it uses a temporary account on the FI in the form of ucs-MyAuthDomain\myusername which is limited to a total of 32 characters. If you shorten the authentication domain name defined in UCSM from domain.com to a shorter name like AD it will allow for utilization of a longer username.

Note

For systems using remote authentication protocol, the authentication domain name is considered part of the user name and counts toward the 32-character limit for locally created user names. Because Cisco UCS inserts 5 characters for formatting, authentication will fail if the domain name and user name combined character total exceeds 27.

http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_1_chapter_01000.html

View solution in original post

Danny Sandner · ‎02-25-2014

Hi again,

I found the problem:

If you use user accounts with maximum 15 characters, it works and you can access.

If you use user accounts with 16 or more characters, it doesn't work and you get "User Authentication failed".

Now, Cisco, please tell me, is this a bug or a feature?

/Danny

Brian Morrissey · ‎02-25-2014

With remote authentication in UCS when a user logs in it uses a temporary account on the FI in the form of ucs-MyAuthDomain\myusername which is limited to a total of 32 characters. If you shorten the authentication domain name defined in UCSM from domain.com to a shorter name like AD it will allow for utilization of a longer username.

Note

For systems using remote authentication protocol, the authentication domain name is considered part of the user name and counts toward the 32-character limit for locally created user names. Because Cisco UCS inserts 5 characters for formatting, authentication will fail if the domain name and user name combined character total exceeds 27.

http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_1_chapter_01000.html

Danny Sandner · ‎02-26-2014

Thanks. Solved my problem. Didn't know that the "domain name" counts, too.

regards

/Danny