Cisco Cisco Expressway
Appendix 1: Troubleshooting
Viewing / searching LDAP database
Windows
LDAP database viewers, such as the graphical “Softerra LDAP Administrator” package, let you look at the
LDAP database contents.
LDAP database contents.
Using the login credentials provided for the Expressway, the LDAP viewer allows you to browse around to
find users and groups.
find users and groups.
You can check that users and groups are in appropriate paths by selecting the user or group and looking at its
DN (distinguished name): the DN of a user should be a superset of the Base DN for accounts; the DN of a
group should be a superset of the Base DN for groups.
DN (distinguished name): the DN of a user should be a superset of the Base DN for accounts; the DN of a
group should be a superset of the Base DN for groups.
Unix / Linux
ldapsearch (a program that is part of the openldap suite) can be used to query ldap databases, for example
ldapsearch -v -x -W –D "cn=exp,ou=systems,ou=region1,ou=useraccounts,dc=corporation,dc=in
t" -b cn=p.brown,ou=it,ou=region1,ou=useraccounts,dc=corporation,dc=int
-h server.corporation.int
will bind to the ldap server "server.corporation.int" as "exp" and returns the directory information stored for the
"p.brown" account (which would show information such as group membership).
"p.brown" account (which would show information such as group membership).
For more information on ldapsearch, on a system supporting ldapsearch type:
man ldapsearch
Unable to log in after switching to remote authentication
Even when remote authentication is selected, the admin login remains accessible using the password
configured on Expressway.
configured on Expressway.
Check that the LDAP and group settings on the Expressway are correct. In particular, check for typing
mistakes and use of spaces – spaces are allowed in group names.
mistakes and use of spaces – spaces are allowed in group names.
AD “Domain Users” group fails to allow login
Default Active Directory groups such as the “Domain Users” group are seen as empty groups over LDAP and
so should not be used as groups to define access rights. If they are selected, Expressway treats them as
groups with no users.
so should not be used as groups to define access rights. If they are selected, Expressway treats them as
groups with no users.
Although when browsing in AD the “Domain Users” group is seen to have members (automatically added),
when an LDAP search is performed on it, no member list is provided. Expressway uses the LDAP member
list to identify whether a user is a member of the group, and therefore whether that user should have the
access rights of that group.
when an LDAP search is performed on it, no member list is provided. Expressway uses the LDAP member
list to identify whether a user is a member of the group, and therefore whether that user should have the
access rights of that group.
If a group does not provide access to the expected group of users, use an LDAP browser and check that
there is a member list and that it contains the expected users.
there is a member list and that it contains the expected users.
Cisco Expressway Authenticating Accounts Using LDAP Deployment Guide (X8.5)
Page 10 of 19
Appendix 1: Troubleshooting