Cisco UCS Manager AD authentication

Hello all

I have had this on my to-do for a while and finally got around to finishing it – using AD authentication on Cisco UCS Manager (UCSM). Now this is not something necessarily complicated but the official guides expect you to use a single AD domain and use sAMAccountName as the userid attribute. We have a large forest with a single root domain a lot of child domains all with parent-child trust to the root domain. We do not have sAMAccountName uniqueness across domains so instead we use userPrincipalName as the unique identifier for users. Users can also come from any of the child domains so to avoid having to add every domain we usually add a connection to Global Catalog instead. A note – the images below are from the UCSM 3.1 HTML5 interface but it is the same in the older 2.2 Java interface.

Now lets get into it. First things first we need to add domain controllers. I suggest you add two for redundancy purposes. Go to the Admin pane and down to User Management and unfold LDAP. Right click LDAP Providers and click Add.

In the image below I input some mock info but the important parts are to set the full DN of the user UCS should use to bind to AD. If you are using a multi domain forest set Base DN to the root domains Base DN and set the port to 3268 for GC LDAP and 3269 for GC LDAPS (remember to check the SSL box). Set the Filter to userPrincipalName=$userid. Input the password for the Bind account and select MS AD.

LDAP providerClick Next and you will be taken to the LDAP Group Rule and set Group Authorization Enabled and Group Recursion to Recursive. The rest should be default and now look like this:

LDAP group ruleWe now need to make a LDAP Provider Group. Right click the LDAP Provider Group and click Add. Give the group a name and add your domain controllers:

LDAP Provider GroupClick OK to finish creating the provider group. Now we need to add some group mappings for use with Group Authorization. Right click LDAP Group Maps and click Add. In the GUI below input the group DN and select which roles they should have. You can use the built in roles or create your own. Click OK to save.

LDAP Group MapsFinally, and this is where the magic happens, add a new Authentication Domain. Unfold Authentication under User Management and right click Authentication Domains and click Add. Give your Domain a name (you will see this when you login) and Select LDAP. Once LDAP is selected a drop-down will be show where you can select the LDAP Provider Group you created earlier. Once done click OK to save.

Authentication Domain

From now on when you access the login page you will see a drop down in which you can select either Native or the name of your Authentication domain. Select your Authentication domain and input your userPrincipalName and password in the fields and enjoy using AD login!

Leave a Reply