|
|
| (2 intermediate revisions not shown) |
| Line 1: |
Line 1: |
| - | == Configure LDAP (Active Directory) for user authentication ==
| + | '''This page has been moved to [http://docwiki.cisco.com/wiki/Reporting_Configuration:_Configure_LDAP_%28Active_Directory%29_for_user_authentication Reporting Configuration: Configure LDAP (Active Directory) for user authentication]''' |
| - | | + | |
| - | {| border="1"
| + | |
| - | |-
| + | |
| - | ! '''Problem Summary'''
| + | |
| - | | Domain user cannot log in through LDAP server
| + | |
| - | |-
| + | |
| - | ! '''Error Message'''
| + | |
| - | | Invalid username or password. Please try again.
| + | |
| - | |-
| + | |
| - | ! '''Possible Cause'''
| + | |
| - | | The LDAP parameters are incorrect or incomplete
| + | |
| - | |-
| + | |
| - | ! '''Recommended Action'''
| + | |
| - | |Sample parameters:
| + | |
| - | Host Address for Active Directory Server: 192.168.1.2
| + | |
| - | port: 389
| + | |
| - | "Use SSL" is not checked
| + | |
| - | Host Address for Redundant Active Directory Server:
| + | |
| - | Manager Distinguished Name: CN=Administrator, CN=Users, DC=myCompany, DC=com
| + | |
| - | Manager Password: <password for user administrator>
| + | |
| - | User Search Base: CN=Users, DC=myCompany, DC=com
| + | |
| - | Attribute for User ID: sAMAccountName
| + | |
| - | | + | |
| - | Sample value 2 for Manager Distinguished Name: CN=user1,OU=icm8,OU=UCCE80,OU=Cisco_ICM_domain,DC=UCCE80,DC=cisco,DC=com
| + | |
| - | Sample value 3 for Manager Distinguished Name: CN=testuser,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
| + | |
| - |
| + | |
| - | Tip 1: The values of OU could be case sensitive.
| + | |
| - | Tip 2: The max number of characters for Manager Distinguished Name field cannot exceed 85.
| + | |
| - | | + | |
| - | '''Action Plan-1:''' Verify following in CUIC setup
| + | |
| - | 1. Verify the users credentials are correct in Active Directory
| + | |
| - | 2. Verify the user is logging in with the correct Domain pre-pended to their Active Directory username. Verify they have not been locked out in Active Directory for too many failed login attempts.
| + | |
| - | 3. Verify that the Active Directory server configured in OAMP is the same one used by UCCE/ICM. Verify the Manager Distinguished Name has the correct Domain name as that used by the ICM Server: CN=Administrator, CN=users, DC=MYDOMAIN, DC=COM
| + | |
| - | | + | |
| - | '''Action Plan-2:''' If Domain user is not able to login to CUIC yet, do the following:
| + | |
| - | | + | |
| - | Step-1: In OAMP Active Directory configuration page, check if User Search Base has 'CN=Users' in it. This is needed except incase User Search Base is already CN=Domain Users. Try To login to CUIC with supervisor name prepended with proper domain name
| + | |
| - | Step-2: If Step-1 doesn’t work, If user is not able to login still, modify to 'CN=Domain Users' in User Search Base and try to login
| + | |
| - | Step-3: If Step-2 doesn’t work, change following
| + | |
| - | Attribute for User ID = userPrincipalName
| + | |
| - | User Search Base search base, modify to = CN=Domain Users
| + | |
| - | And then try to login to CUIC with user id as testuser@bioscripinc.net (for this to work Ldap should be configured to accept both UserPrincipleName for login)
| + | |
| - | | + | |
| - | '''If AD user is still not able to login
| + | |
| - | '''
| + | |
| - | 1.Login to Active directory using 'Active Directory Explorer by Microsoft' or Softerra LDAP browser
| + | |
| - | 2.Navigate to the AD account name
| + | |
| - | 3.Look for attribute distinguishedName, it would be something like "CN=UserName,DC=Users,DC=CompanyName,DC=COM...."
| + | |
| - | 4.Copy every thing from distinguishedName except CN=UserName to 'User Search Base' element in OAMP Active directory configuration page
| + | |
| - | 5.Make 'User ID Attribute' to userPrincipleName and from LDAP browser findout the userPrincipleName Attibute
| + | |
| - | Use the same thing to login to CUIC, login name would be like testuser@company.com
| + | |
| - | 6.If user is not able to login to CUIC, then problem might be with Active directory LDAP authentication, then
| + | |
| - | Make 'User ID Attribute' to samAccountName and from LDAP browser find out the samAccountName Attibute
| + | |
| - | Use the same thing to login to CUIC, login name would be like 'company\testuser'
| + | |
| - | | + | |
| - | |-
| + | |
| - | ! '''Release'''
| + | |
| - | | Release 8.0(1)
| + | |
| - | |-
| + | |
| - | ! '''Associated CDETS#/ Similar SRs '''
| + | |
| - | | 614786193,615387559,614830251, cdets-defectid:CSCth62535 '''
| + | |
| - | |-
| + | |
| - | |}
| + | |
| - | [[Category: Configuration Examples]]
| + | |
