Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 1: Troubleshooting
Viewing / Searching LDAP Database
Windows
LDAP database viewers, such as the graphical “Softerra LDAP Administrator” package, let you look at the LDAP
database contents.
database contents.
Using the login credentials provided for the VCS, the LDAP viewer allows you to browse around to find users and
groups.
groups.
You can check that users and groups are in appropriate paths by selecting the user or group and looking at its DN
(distinguished name): the DN of a user should be a superset of the Base DN for accounts; the DN of a group should be
a superset of the Base DN for groups.
(distinguished name): the DN of a user should be a superset of the Base DN for accounts; the DN of a group should be
a superset of the Base DN for groups.
Unix / Linux
ldapsearch (a program that is part of the openldap suite) can be used to query ldap databases, for example
ldapsearch -v -x -W –D "cn=exp,ou=systems,ou=region1,ou=useraccounts,dc=corporation,dc=int" -b
cn=p.brown,ou=it,ou=region1,ou=useraccounts,dc=corporation,dc=int
cn=p.brown,ou=it,ou=region1,ou=useraccounts,dc=corporation,dc=int
-h server.corporation.int
will bind to the ldap server "server.corporation.int" as "exp" and returns the directory information stored for the
"p.brown" account (which would show information such as group membership).
"p.brown" account (which would show information such as group membership).
For more information on ldapsearch, on a system supporting ldapsearch type:
man ldapsearch
Unable to Log in After Switching to Remote Authentication
Even when remote authentication is selected, the admin login remains accessible using the password configured on
VCS.
VCS.
Check that the LDAP and group settings on the VCS are correct. In particular, check for typing mistakes and use of
spaces – spaces are allowed in group names.
spaces – spaces are allowed in group names.
AD “Domain Users” Group Fails to Allow Login
Default Active Directory groups such as the “Domain Users” group are seen as empty groups over LDAP and so should
not be used as groups to define access rights. If they are selected, VCS treats them as groups with no users.
not be used as groups to define access rights. If they are selected, VCS treats them as groups with no users.
Although when browsing in AD the “Domain Users” group is seen to have members (automatically added), when an
LDAP search is performed on it, no member list is provided. VCS uses the LDAP member list to identify whether a user
is a member of the group, and therefore whether that user should have the access rights of that group.
LDAP search is performed on it, no member list is provided. VCS uses the LDAP member list to identify whether a user
is a member of the group, and therefore whether that user should have the access rights of that group.
If a group does not provide access to the expected group of users, use an LDAP browser and check that there is a
member list and that it contains the expected users.
member list and that it contains the expected users.
11
Authenticating Cisco VCS Accounts Using LDAP Deployment Guide