In my previous post, I hypothesized that "Domain Users" simply contained too many members. I was wrong.
After performing a couple of packet captures, I found that "Domain Users" was not an attribute returned in the "memberOf" property. This seems to be a known response as "Domain Users" is typically classified as a "PrimaryGroup" and is therefore recorded in the "PrimaryGroupID" attribute.
Since UCS is only looking @ the "memberOf" attribute, "Domain Users" would not be returned. I've made Cisco TAC aware of this discovery. Whether it gets added as a bug or is simply relegated as a low hanging feature request is anybodies guess. In the very least, I feel better to get this monkey off my back.
UCS LDAP Workflow (as how it looked in my packet capture):
- UCS makes a LDAP bind call querying for the entered username for its "DN" and "memberOf" attributes.
- Once the information is returned, UCS appears to check the list of attributes in "memberOf"
- If UCS finds a match, it essentially grants whatever role access is granted to that LDAP group.
- UCS does query the LDAP group, but I'm unsure as to why it does this. Seems redundant.