Solved: Re: FMC LDAP Intergration - 0 users downloaded

john-robinson · ‎06-25-2024

Hi Cisco Community,

I am using FMC 7.6.2 and am trying to configure LDAP intergration.

I have the realm set up and it tests OK.

When I run the syncronisation, the system reports that the groups were downloaded but 0 users were downloaded.

Syslog show this message regarding user sync:

"Could not find naming attribute (uid) for user with DN......."

I cant seem to find anywhere that will let me add a user attribute.

Anyone encounter this before and/or know what the solution is.

Let me know if there is more information I can provide that would help.

Thanks team,

MHM Cisco World · ‎07-02-2024

View solution in original post

MHM Cisco World · ‎06-25-2024

can you check this link and more elaborate your issue
https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

thanks a lot

MHM

john-robinson · ‎06-26-2024

Hi MHM,

Thanks for your response. I have checked off each step in the link you provided, and this matches the process I have completed, apart from the LDAP attribute mapping. I don’t believe I need this yet, as I am not trying to map particular users to GPs, yet.

I have deleted the LDAP config and am re adding it and recording details steps to post for you but I am getting some inconsistent results. Bear with me while I work out what is going on and then post a detailed reply of my steps and the error I am getting.

MHM Cisco World · ‎06-26-2024

https://www.youtube.com/watch?v=U7IwDJGupIM&t=189s

in this video check how you can download user after you config the AD or LDAP (under group and users)

john-robinson · ‎06-27-2024

Thanks MHN.

I believe I have a correctly configured Realm, that shows a successful test:

My base DN and group DN are set the same as another(non Cisco) system that is working.

Unfortunately, the system does not successfully download any users. I get this message showing after the synchronisation finishes:

0 users are downloaded.

Looking at Syslog on the FMC, I see these entries:

Jun 27 2024 16:11:38 LDAP_Server SF-IMS[18800]: [3414] ADI:adi.LdapRealm [INFO] Unable to search base='dc=dc1,dc=dc1' filter='(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))'

Jun 27 2024 16:11:38 LDAP_Server SF-IMS[18800]: [3414] ADI:adi.LdapRealm [WARN] ldapsearch -x -b "dc=xxxx,dc=xxxx" -s 2 -l 3600 -z 0 -W "(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))" CN failed with the result 10 - Referral

Jun 27 2024 20:42:19 LDAP_Server SF-IMS[18800]: [6478] ADI:adi.LdapRealm [ERROR] Could not find naming attribute (uid) for user with DN (cn=John Joe (63058469),ou=managed users,ou=standard users,ou=user accounts,dc=dc1,dc=dc2,dc=dc3,dc=dc4.

Interesting that the base filter in use here is:

filter='(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))'

I have a non Cisco system for which LDAP lookups to the same AD is working, and the filter it uses is:

(|(userprincipalname=<USER>)(sAMAccountName=<user>))

Not sure if this has something to do with it but I cannot see a place where I can adjust the filter, to match, on the FMC.

MHM Cisco World · ‎06-28-2024

other vendor is success and FMC is failed

can you check the allow characters for FMC

john-robinson · ‎06-30-2024

Confirmed with AD admin that we only use the above listed characters. Nothing unsupported.

According to the Syslog messages, the users cannot be downloaded because they do not have the uid attribute set, I have confirmed that we do not use this with our AD team. Seems this is a very common setup. Do you think it means for this to work we need to populate our gui attribute ? I cant imagine everyone else has had to do this or that not using the uid is uncommon.
There should be a way to tell Cisco to use the SAM account name or CN for the attribute ?!?

MHM Cisco World · ‎07-02-2024

john-robinson · ‎07-02-2024

***Partially Solved***

Thanks MHM, this was indeed part of the problem. I had the realm set to LDAP, which is why the system was looking for uid.

I had origionally tried using an AD realm but this was not working with the default port. Once I changed the realm from LDAP to AD and the port from default 636 to 3269, it started working and now I can see users in the 'Sync Results'. I'm not sure if that port is something particular to my AD or not.

Next thing is to get this working with the RA VPN profile for user authentication.

Thanks again for staying with this and helping out.

MHM Cisco World · ‎07-02-2024

you are so so welcome

have a nice summer

MHM

jelloyd · ‎07-08-2024

By default, when you setup an AD realm, it defaults out to an LDAP naming attribute of sAMAAccountName and not uid, which is likely why it started working for you when switching from LDAP to AD realm type.

But I do want to point out that you can also change the naming attribute that you want to use when searching for users to something else, like uid or userPrincipalName. But this has to be done via FlexConfig. For instance, you would create and deploy a FlexConfig object like the following to do so.

Anyhow, that's my $.02...

john-robinson · ‎07-08-2024

Oh, that is interesting. Thanks jelloyd. I will have a play with that for sure.