07-15-2013 08:04 AM - edited 03-01-2019 11:08 AM
Hi guys,
Just wondering if anyone could help with an odd issue we seem to have come across with our UCS manager. We have set it up to use LDAP authentication for log on which is working fine for four of our five team members however we have one user who although he is in exactly the same groups as the rest of us continually gets unautheticated user errors.
We've done the usual of checking it is not his machine or setup and in the logs it doesn't even register an attempt at log on failing so not to sure what I can check so any thoughts would be very much appreciated!
We are using UCSM v2.1 (1e) in case that is relevant?
Many Thanks
John
Solved! Go to Solution.
07-16-2013 06:09 AM
I had run into the same issue. Turned out to be a bug in the firmware when DN's were too long.
There is no longer a 128 character limitation to the number of OUs or the length of the Distinguished Name (DN) when using LDAP authentication with Active Directory. |
http://www.cisco.com/en/US/docs/unified_computing/ucs/release/notes/UCS_28313.html
07-15-2013 09:51 PM
Hello John,
Are you using MS AD ?
Please make sure that LDAP group map is referring to correct DN.
Anything special about non-working user account ?
Please turn on the following debugs and request the user to login.
connect nxos
debug aaa all
debug ldap all
debug aaa aaa-request
After login attempt, you can turn off the debugs by " undebug all " .
Please share the debug output.
Padma
07-16-2013 02:43 AM
Hi Padma,
Thanks for the reply, nope there is nothing special about this user that I can see and if I create a brand new user and just put it in domain admins and the LDAP group for UCS then it logs in just fine.
I have enabled the debugging options and get the user to try logging in but it doesn't even seem to register his attempt, another member of the team logs in and the log updates in front of me but when this other person does nothing comes up! Very odd.
Many Thanks
John
07-16-2013 04:33 AM
Hello John,
Please save the SSH session output and then turn on the debug.
After the login attempt, please share the session log file.
Are all these users belong to same group as defined in LDAP group map ?
Thanks
Padma
07-16-2013 06:09 AM
I had run into the same issue. Turned out to be a bug in the firmware when DN's were too long.
There is no longer a 128 character limitation to the number of OUs or the length of the Distinguished Name (DN) when using LDAP authentication with Active Directory. |
http://www.cisco.com/en/US/docs/unified_computing/ucs/release/notes/UCS_28313.html
07-16-2013 07:30 AM
Bruce you're a star, thank you.
Thanks again Padma for the offer, I was just popping on to post results when I saw Bruce's comment and did some testing, the non working account is 5 letters longer than any of our others which is apperently just enough to tip his DN over to too long! Have created an account with Alex instead of Alexander as the name and he is up and running perfectly.
Much appreciated guys
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide