Reporting Configuration: Configure LDAP (Active Directory) for user authentication
Revision as of 08:52, 21 September 2010 by Rpandara
Configure LDAP (Active Directory) for user authentication
|Problem Summary||Domain user cannot log in through LDAP server|
|Error Message||Invalid username or password. Please try again.|
|Possible Cause||The LDAP parameters are incorrect or incomplete|
|Recommended Action||Sample parameters:
Host Address for Active Directory Server: 192.168.1.2 port: 389 "Use SSL" is not checked Host Address for Redundant Active Directory Server: Manager Distinguished Name: CN=Administrator, CN=Users, DC=myCompany, DC=com Manager Password: <password for user administrator> User Search Base: CN=Users, DC=myCompany, DC=com Attribute for User ID: sAMAccountName
Sample value 2 for Manager Distinguished Name: CN=user1,OU=icm8,OU=UCCE80,OU=Cisco_ICM_domain,DC=UCCE80,DC=cisco,DC=com Sample value 3 for Manager Distinguished Name: CN=testuser,OU=Employees,OU=Cisco Users,DC=cisco,DC=com Tip 1: The values of OU could be case sensitive. Tip 2: The max number of characters for Manager Distinguished Name field cannot exceed 85.
Action Plan-1: Verify following in CUIC setup
1. Verify the users credentials are correct in Active Directory 2. Verify the user is logging in with the correct Domain pre-pended to their Active Directory username. Verify they have not been locked out in Active Directory for too many failed login attempts. 3. Verify that the Active Directory server configured in OAMP is the same one used by UCCE/ICM. Verify the Manager Distinguished Name has the correct Domain name as that used by the ICM Server: CN=Administrator, CN=users, DC=MYDOMAIN, DC=COM
Action Plan-2: If Domain user is not able to login to CUIC yet, do the following:
Step-1: In OAMP Active Directory configuration page, check if User Search Base has 'CN=Users' in it. This is needed except incase User Search Base is already CN=Domain Users. Try To login to CUIC with supervisor name prepended with proper domain name Step-2: If Step-1 doesn’t work, If user is not able to login still, modify to 'CN=Domain Users' in User Search Base and try to login Step-3: If Step-2 doesn’t work, change following Attribute for User ID = userPrincipalName User Search Base search base, modify to = CN=Domain Users And then try to login to CUIC with user id as email@example.com (for this to work Ldap should be configured to accept both UserPrincipleName for login)
If AD user is still not able to login
1.Login to Active directory using 'Active Directory Explorer by Microsoft' or Softerra LDAP browser 2.Navigate to the AD account name 3.Look for attribute distinguishedName, it would be something like "CN=UserName,DC=Users,DC=CompanyName,DC=COM...." 4.Copy every thing from distinguishedName except CN=UserName to 'User Search Base' element in OAMP Active directory configuration page 5.Make 'User ID Attribute' to userPrincipleName and from LDAP browser findout the userPrincipleName Attibute Use the same thing to login to CUIC, login name would be like firstname.lastname@example.org 6.If user is not able to login to CUIC, then problem might be with Active directory LDAP authentication, then Make 'User ID Attribute' to samAccountName and from LDAP browser find out the samAccountName Attibute Use the same thing to login to CUIC, login name would be like 'company\testuser'
|Associated CDETS#/ Similar SRs||614786193,615387559,614830251, cdets-defectid:CSCth62535|