LDAP UCS Group Maps w/ AD groups more than 1000 members bug?

[SHORT UPDATE: My hypothesis was wrong]
[FULL UPDATE: Click here]

Summary:
Seems like I always run into bugs w/ UCS's LDAP and AD integration.  This time it appears that UCS has issues w/ associating users that are members of AD groups that contain more than 1000 members.  I say 1000 members because in all likelyhood UCS's programming is calling this method:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366953%28v=vs.85%29.aspx

Details:
In my case, I was referencing 'domain users' and granting read-only.  Testing the users from the CLI interface would show that the user account would authenticate just fine like as follows:
connect nxos
test aaa server ldap nameofADserver usernametoTest cleartextpassword
user has been authenticated

Screenshot:

In the end, the problem seems to be that UCS is unable to map the user to the group that grants the UCS role access because of the 1000 member limit.

Workaround:
Quite simply, map an AD group that has less than 1000 members to an UCS defined role.  I've opened a TAC case for further investigation.

2 comments:

Anonymous said...

Thanks for your helpful blog post.
Has this issue been resolved so far? What was the outcome of the TAC case?

Chris Nakagaki said...

Yes. You can find info here: http://tech.zsoldier.com/2013/09/ucs-ldap-authentication-domain-users.html