Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 1: Troubleshooting
Viewing / searching LDAP database
Windows
LDAP database viewers, such as the graphical “Softerra LDAP Administrator” package, let you look at the
LDAP database contents.
LDAP database contents.
Using the login credentials provided for the VCS, the LDAP viewer allows you to browse around to find users
and groups.
and groups.
You can check that users and groups are in appropriate paths by selecting the user or group and looking at its
DN (distinguished name): the DN of a user should be a superset of the Base DN for accounts; the DN of a
group should be a superset of the Base DN for groups.
DN (distinguished name): the DN of a user should be a superset of the Base DN for accounts; the DN of a
group should be a superset of the Base DN for groups.
Unix / Linux
ldapsearch (a program that is part of the openldap suite) can be used to query ldap databases, for example
ldapsearch -v -x -W –D "cn=exp,ou=systems,ou=region1,ou=useraccounts,dc=corporation,dc=in
t" -b cn=p.brown,ou=it,ou=region1,ou=useraccounts,dc=corporation,dc=int
-h server.corporation.int
will bind to the ldap server "server.corporation.int" as "exp" and returns the directory information stored for the
"p.brown" account (which would show information such as group membership).
"p.brown" account (which would show information such as group membership).
For more information on ldapsearch, on a system supporting ldapsearch type:
man ldapsearch
Unable to log in after switching to remote authentication
Even when remote authentication is selected, the admin login remains accessible using the password
configured on VCS.
configured on VCS.
Check that the LDAP and group settings on the VCS are correct. In particular, check for typing mistakes and
use of spaces – spaces are allowed in group names.
use of spaces – spaces are allowed in group names.
AD “Domain Users” group fails to allow login
Default Active Directory groups such as the “Domain Users” group are seen as empty groups over LDAP and
so should not be used as groups to define access rights. If they are selected, VCS treats them as groups
with no users.
so should not be used as groups to define access rights. If they are selected, VCS treats them as groups
with no users.
Although when browsing in AD the “Domain Users” group is seen to have members (automatically added),
when an LDAP search is performed on it, no member list is provided. VCS uses the LDAP member list to
identify whether a user is a member of the group, and therefore whether that user should have the access
rights of that group.
when an LDAP search is performed on it, no member list is provided. VCS uses the LDAP member list to
identify whether a user is a member of the group, and therefore whether that user should have the access
rights of that group.
If a group does not provide access to the expected group of users, use an LDAP browser and check that
there is a member list and that it contains the expected users.
there is a member list and that it contains the expected users.
Authenticating VCS Accounts Using LDAP Deployment Guide (X8.1)
Page 11 of 20
Appendix 1: Troubleshooting