Guest

Preview Tool

Cisco Bug: CSCur48635 - Multi-role LDAP authentication on DCNM fails

Last Modified

Mar 05, 2018

Products (1)

  • Cisco Data Center Network Manager

Known Affected Releases

6.3(1) 6.3(2)

Description (partial)

Symptom:
LDAP can authenticate a single group and match it to switch roles; however, when combined with multiple AD groups this produces an error on the DCNM server.

A "single" group meaning one AD group mapped to single or multiple switch roles.
"Multiple" meaning two or more AD users in separate groups who should be assigned respective roles based on their membership in those distinct groups.

This should be configurable via the "Map to DCNM Role:" field: (leaving the "Role Admin Group:" field blank)
Syntax:
"Map to DCNM Role: AD-group1:network-admin,sme-admin;AD-group2:network-operator,sme-operator..."

When testing this configuration an error message is displayed in DCNM web:
"LDAP Authentication failed: Roles can not be retrieved and it's in restriction mode: String index out of range: -1"

From FMserver.log:
2014.10.29 09:43:04  WARN  [fms.security] Problem retrieveRoles: String index out of range: -1
2014.10.29 09:43:04  WARN  [fms.security] Roles can not be retrieved and it's in restriction mode: String index out of range: -1

Conditions:
N/A
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.