We have Cisco UCS 6200 series, I was configuring LDAP on it, and I guess I've missed it up, I've created a local domain, changed the native authentication from "local" to LDAP, saved and logged out to test LDAP user authentication, but all failed to login, I can no longer login using the local "admin" account neither from GUI nor SSH.
How could I revert this back please?
Solved! Go to Solution.
Maybe try breaking into the bootloader again on the console, login as admin, then:
UCS-A# scope security UCS-A /security # scope console-auth UCS-A /security/console-auth # set realm local
UCS-A# scope security UCS-A /security # scope default-auth UCS-A /security/console-auth # set realm local
Let's see if that forces the auth back to the local users accounts database.
Do you have access to the console?
If so, you should be able to login via console, and set the default-auth, realm to local again.
Usually recommend leaving the console auth set to local.
As far as login attempts, are you using following syntax:
* From Linux / MAC machine
ssh -l ucs-<domain-name>\\<username> <UCSM-IP-address>
ssh <UCSM-IP-address> -l ucs-<domain-name>\\<username>
* From putty client
Login as: ucs-<domain-name>\<username>
NOTE Domain name is case sensitive and should match the domain-name configured in UCSM.
*Borrowing syntax from previous post at https://supportforums.cisco.com/t5/unified-computing-system/ucs-ldap-and-native-authentication/td-p/2475829
Thanks for responding.
I can't login at all from anywhere, I've even tried the syntax you sent earlier today, but didn't work for both types of accounts.
Do you have anyway to block your UCSM mgmt ports from reaching ldap servers?
See if your local logins work, if the ldap servers aren't reachable from the UCSM (may need to add some temp acls on your upstream mgmt switch the FI mgmt ports plug into.
I guess you could unplug your 1 Gb mgmt ports, while trying to do console test (this may trigger cluster lead failover).
You're at a point you may need to open a TAC case.
As you've indicated you can't login via console, I'm assuming you adjusted your default auth for the console as well... We don't recommend doing that, for the very reason you are experiencing....
I've tried disconnecting the cables and connect a laptop directly to it, but didn't even work, I've even tried rebooting the FI, but didn't help. I didn't knew that it's not recommended to change from local to LDAP, I was just trying to troubleshoot why LDAP isn't working in the first place.
Unfortunately we have no longer gave support contract for that product, is there any other method rather than destroying the fabric settings please?
If all else fails, follow this procedure to log back in:
Instead of following the standard password recovery procedure, only power cycle the subordinate fabric interconnect, break into loader prompt, load the kickstart image and change the password. You are not required to remove the L1-L2 cables.
Now when the subordinate boots up, log into it via CLI with your new password and create a user.
The following example creates the user account named kikipopo, enables the user account, sets the password to foo12345, and commits the transaction:
UCS-A# scope security UCS-A /security # create local-user kikipopo UCS-A /security/local-user* # set account-status active UCS-A /security/local-user* # set password Enter a password: Confirm the password: UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
If required, assign an admin, operations, etc role to the new user.
The following example assigns the operations role to the kikipopo local user account and commits the transaction:
UCS-A# scope security UCS-A /security # scope local-user kikipopo UCS-A /security/local-user # create role operations UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
**You can use this newly created user to login to UCSM via Virtual IP address and change the 'admin' user password that was lost. Once this is complete, the new password will sync to the subordinate.**
Ok, I've got my self a console cable, hocked it up, got connected, opened the loader very successfully, however, I couldn't figure out what is my kickstart image full name :((((
Pardon me, I am not so familiar with the device, how can I get the image name to be able to load it?
I have an update.
I ran "dir" to get the loaded image, booted it and followed your instructions and here's what happened:
Now what :)