UCS LDAP Authentication "Domain Users" will not work

[Update: Cisco has opened a bug for this.  Expected to be fixed in 2.2 release, but you can track the progress here: CSCui60138]

Summary:
In my previous post, I hypothesized that "Domain Users" simply contained too many members.  I was wrong.

Details:
After performing a couple of packet captures, I found that "Domain Users" was not an attribute returned in the "memberOf" property.  This seems to be a known response as "Domain Users" is typically classified as a "PrimaryGroup" and is therefore recorded in the "PrimaryGroupID" attribute.

Since UCS is only looking @ the "memberOf" attribute, "Domain Users" would not be returned.  I've made Cisco TAC aware of this discovery.  Whether it gets added as a bug or is simply relegated as a low hanging feature request is anybodies guess.  In the very least, I feel better to get this monkey off my back.

UCS Version:
2.1(1a)

UCS LDAP Workflow (as how it looked in my packet capture):

  1. UCS makes a LDAP bind call querying for the entered username for its "DN" and "memberOf" attributes.
  2. Once the information is returned, UCS appears to check the list of attributes in "memberOf"
  3. If UCS finds a match, it essentially grants whatever role access is granted to that LDAP group.
  4. UCS does query the LDAP group, but I'm unsure as to why it does this.  Seems redundant.
Additional Notes:

No comments: