For those who have set up LDAP authentication against Active Directory for UCS Manager 1.4.x, you may have noticed that there’s a discrepancy between the screenshots and CLI output provided in the configuration guide:
UCS LDAP and Multiple
As shown in the screenshot below, we are instructed to configure the LDAP Group Rule as follows:
If you look closely to the instructions, you’ll see that the screenshot actually shows that:
Group Recursion: non-recursive
… but the CLI output below shows that:
Group traversal: Recursive
I’ve gone through the instructions numerous times but cannot find any indication as to what that setting is supposed to be configured as.
So which one are you supposed to select?
What I ended doing was a series of test to try the 2 options and both appear to work for our setup. With that being said, the Active Directory groups we used for testing is only 1 level deep. The reason why I’m talking about Active Directory group levels here is because after giving some thought while having my Active Directory thinking cap on, I think this setting is for whether you want UCS Manager to authenticate users who are more than 1 level deep. By this I mean that Active Directory allows you to have a group as a group member of a group (that sounds confusing so maybe this will help:
Notice how we have the group Exchange Recipient Administrators which has another group Exchange Organization Administrators in the Members tab?
I suspect that if we do not turn on Group traversal: Recursive a users that are in nested groups such as this will not authenticate.
I have yet to get a chance to test my theory but when I do, I’ll update this post.