Reporting Configuration: Configure LDAP (Active Directory) for user authentication

From DocWiki

Revision as of 08:52, 21 September 2010 by Rpandara (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Configure LDAP (Active Directory) for user authentication

Problem Summary Domain user cannot log in through LDAP server
Error Message Invalid username or password. Please try again.
Possible Cause The LDAP parameters are incorrect or incomplete
Recommended Action Sample parameters:
Host Address for Active Directory Server: 192.168.1.2 
port: 389 
"Use SSL" is not checked 
Host Address for Redundant Active Directory Server:
Manager Distinguished Name: CN=Administrator, CN=Users, DC=myCompany, DC=com 
Manager Password: <password for user administrator> 
User Search Base: CN=Users, DC=myCompany, DC=com 
Attribute for User ID: sAMAccountName 
Sample value 2 for Manager Distinguished Name: CN=user1,OU=icm8,OU=UCCE80,OU=Cisco_ICM_domain,DC=UCCE80,DC=cisco,DC=com
Sample value 3 for Manager Distinguished Name: CN=testuser,OU=Employees,OU=Cisco Users,DC=cisco,DC=com

Tip 1: The values of OU could be case sensitive. 
Tip 2: The max number of characters for Manager Distinguished Name field cannot exceed 85. 

Action Plan-1: Verify following in CUIC setup

1. Verify the users credentials are correct in Active Directory
2. Verify the user is logging in with the correct Domain pre-pended to their Active Directory username. Verify they have not been locked out in Active Directory for too many failed login attempts.
3. Verify that the Active Directory server configured in OAMP is the same one used by UCCE/ICM. Verify the Manager Distinguished Name has the correct Domain name as that used by the ICM Server: CN=Administrator, CN=users, DC=MYDOMAIN, DC=COM

Action Plan-2: If Domain user is not able to login to CUIC yet, do the following:

Step-1: In OAMP Active Directory configuration page, check if User Search Base has 'CN=Users' in it. This is needed except incase User Search Base is already CN=Domain Users. Try To login to CUIC with supervisor name prepended with proper domain name
Step-2: If Step-1 doesn’t work, If user is not able to login still, modify to 'CN=Domain Users' in User Search Base and try to login 
Step-3: If Step-2 doesn’t work, change following
 Attribute for User ID = userPrincipalName 
 User Search Base search base, modify to = CN=Domain Users
And then try to login to CUIC with user id as testuser@bioscripinc.net (for this to work Ldap should be configured to accept both UserPrincipleName for login)

If AD user is still not able to login

1.Login to Active directory using 'Active Directory Explorer by Microsoft' or Softerra LDAP browser
2.Navigate to the AD account name
3.Look for attribute distinguishedName, it would be something like "CN=UserName,DC=Users,DC=CompanyName,DC=COM...."
4.Copy every thing from distinguishedName except CN=UserName to 'User Search Base' element in OAMP Active directory configuration page 
5.Make 'User ID Attribute' to userPrincipleName and from LDAP browser findout the userPrincipleName Attibute
Use the same thing to login to CUIC, login name would be like testuser@company.com
6.If user is not able to login to CUIC, then problem might be with Active directory LDAP authentication, then
Make 'User ID Attribute' to samAccountName and from LDAP browser find out the samAccountName Attibute
Use the same thing to login to CUIC, login name would be like 'company\testuser'
Release Release 8.0(1)
Associated CDETS#/ Similar SRs 614786193,615387559,614830251, cdets-defectid:CSCth62535

Rating: 5.0/5 (2 votes cast)

Personal tools