Friday, March 11, 2011

Cisco UCS Manager 1.4.x LDAP / AD authentication configuration – Is Group Recursion supposed to be set to “non-recursive” or “recursive”?

For those who have set up LDAP authentication against Active Directory for UCS Manager 1.4.x, you may have noticed that there’s a discrepancy between the screenshots and CLI output provided in the configuration guide:

CAE 1.4.1

UCS LDAP and Multiple

Authentication Server

Configuration

image

As shown in the screenshot below, we are instructed to configure the LDAP Group Rule as follows:

image

If you look closely to the instructions, you’ll see that the screenshot actually shows that:

Group Recursion: non-recursive

image

… but the CLI output below shows that:

Group traversal: Recursive

image

I’ve gone through the instructions numerous times but cannot find any indication as to what that setting is supposed to be configured as.

So which one are you supposed to select?

image

What I ended doing was a series of test to try the 2 options and both appear to work for our setup.  With that being said, the Active Directory groups we used for testing is only 1 level deep.  The reason why I’m talking about Active Directory group levels here is because after giving some thought while having my Active Directory thinking cap on, I think this setting is for whether you want UCS Manager to authenticate users who are more than 1 level deep. By this I mean that Active Directory allows you to have a group as a group member of a group (that sounds confusing so maybe this will help:

image

Notice how we have the group Exchange Recipient Administrators which has another group Exchange Organization Administrators in the Members tab?

I suspect that if we do not turn on Group traversal: Recursive a users that are in nested groups such as this will not authenticate.

I have yet to get a chance to test my theory but when I do, I’ll update this post.

3 comments:

chris said...

did you ever get the memberOf / recursive lookup to work for nested groups. I just cant at the moment

John Wade said...

Sure looks like this is conceptually broken (from doing an nxos debug ldap all.)

With recursion turned on, the UCS system will search for the user, then retrieve all the groups they are a member of. If the groups are defined in a group map, it will then proceed to recursively search for groups that those groups are members of. (Which works) However, unless the group that is in the group map is one the user is a member of directly, it will never check, for the members of that group. So for a typical recommended AD nested group configuration where you want to assign the users to a global group and the permissions (i.e. Group Map) to a Domain local group and then nest the Global in the domain local, it will never check the membership of the global group to find the domain local.

Oh well, maybe it will be fixed in 3.0

jake george said...

ldap online training| ldap training| call us+919000444287 ...
http://www.21cssindia.com/courses/ldap-online-training-103.html
ఈ పేజీని అనువదించు
LDAP Online Training, LDAP training, LDAP course contents, LDAP , call us: +919000444287,dharani@21cssindia.com.
course contents, biztalk admin enquiry, ...Courses at 21st Century Software Solutions
Talend Online Training -Hyperion Online Training - IBM Unica Online Training -
Siteminder Online Training - SharePoint Online Training - Informatica Online Training
SalesForce Online Training - Many more… | Call Us +917386622889
Visit: http://www.21cssindia.com/courses.html