Solved: SSM On-Prem Most recent update removed LDAP user's access to Smart Account

klopez138 · ‎05-24-2021

Upgraded our SSM on-prem to 8-202102 and now when logging in as LDAP user, we're getting an alert that "no account has been assigned" to the user. Also when granting the user's request to access the smart account, there is an odd error shown that just says "base", and the user is never granted access to the account. I've tried every possible configuration as far as specifying which virtual account the user is being granted access to and none of them worked. Is anyone else seeing this issue? If so, it would be great to hear what the fix is.

Thanks

andrewswanson · ‎05-26-2021

Hi

Yes, I had some ldap issue after upgrading. From the Cisco user guide:

https://www.cisco.com/web/software/286326948/157149/SSM_On-Prem_8_User_Guide.pdf

LDAP Groups tab: LDAP user groups are defined on the LDAP server and consist of groups of LDAP users. SSM
On‐Prem integration with LDAP allows it to assign RBAC to the accounts and Local Virtual Accounts for each
LDAP group. Therefore, instead of assigning individual users one at a time for access to the Account and Local
Virtual Accounts in SSM On‐Prem Users tab, you can use the LDAP Groups tab to assign these resources to
whole LDAP user groups.

NOTE: After upgrading to the On‐Prem 8‐202102 release, LDAP Users are not listed in either the
Account Management > Users tabs. In addition, all existing LDAP Users in the User Groups tab
are removed.

If you were using LDAP groups on releases prior to 8-202102 this functionality has
changed significantly. OnPrem v8-202102 now only supports adding LDAP Groups
(versus users in previous versions). Before upgrading to v8-202102,
and have upgraded to a more recent release, after logging into your upgraded
version, you will need to navigate to Admin Workspace > Access Management
Widget >LDAP Groups Tab and click Update LDAP Data. Your LDAP groups will
be updated.

ldap users couldn't access the admin workspace in my deployment (only the license workspace). I went to Access Management > LDAP Groups (admin workspace) to allocate the group as "System admin" to rectify.

hth
Andy

View solution in original post

andrewswanson · ‎05-26-2021

Hi

Yes, I had some ldap issue after upgrading. From the Cisco user guide:

https://www.cisco.com/web/software/286326948/157149/SSM_On-Prem_8_User_Guide.pdf

LDAP Groups tab: LDAP user groups are defined on the LDAP server and consist of groups of LDAP users. SSM
On‐Prem integration with LDAP allows it to assign RBAC to the accounts and Local Virtual Accounts for each
LDAP group. Therefore, instead of assigning individual users one at a time for access to the Account and Local
Virtual Accounts in SSM On‐Prem Users tab, you can use the LDAP Groups tab to assign these resources to
whole LDAP user groups.

NOTE: After upgrading to the On‐Prem 8‐202102 release, LDAP Users are not listed in either the
Account Management > Users tabs. In addition, all existing LDAP Users in the User Groups tab
are removed.

If you were using LDAP groups on releases prior to 8-202102 this functionality has
changed significantly. OnPrem v8-202102 now only supports adding LDAP Groups
(versus users in previous versions). Before upgrading to v8-202102,
and have upgraded to a more recent release, after logging into your upgraded
version, you will need to navigate to Admin Workspace > Access Management
Widget >LDAP Groups Tab and click Update LDAP Data. Your LDAP groups will
be updated.

ldap users couldn't access the admin workspace in my deployment (only the license workspace). I went to Access Management > LDAP Groups (admin workspace) to allocate the group as "System admin" to rectify.

hth
Andy

klopez138 · ‎05-26-2021

That was it! Thanks a lot for your help. I was able to get the LDAP settings updated and restore access to my LDAP accounts. Thanks again for the help!