Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 5 – Troubleshooting
VCS Deployment Guide: Authenticating VCS accounts using LDAP (VCS X7.2)
Page 16 of 20
Appendix 5 – Troubleshooting
Viewing / searching LDAP database
Windows
LDAP database viewers, such as the graphical “Softerra LDAP Administrator” package, let you look at
the LDAP database contents.
the LDAP database contents.
Using the login credentials provided for the VCS, the LDAP viewer allows you to browse around to find
users and groups.
users and groups.
You can check that users and groups are in appropriate paths by selecting the user or group and
looking at its DN (distinguished name): the DN of a user should be a superset of the Base DN for
accounts; the DN of a group should be a superset of the Base DN for groups.
looking at its DN (distinguished name): the DN of a user should be a superset of the Base DN for
accounts; the DN of a group should be a superset of the Base DN for groups.
Unix / Linux
ldapsearch (a program that is part of the openldap suite) can be used to query ldap databases, e.g.
ldapsearch -v -x -W –D
"cn=vcs,ou=systems,ou=region1,ou=useraccounts,dc=corporation,dc=int" -b
cn=p.brown,ou=it,ou=region1,ou=useraccounts,dc=corporation,dc=int
"cn=vcs,ou=systems,ou=region1,ou=useraccounts,dc=corporation,dc=int" -b
cn=p.brown,ou=it,ou=region1,ou=useraccounts,dc=corporation,dc=int
-h server.corporation.int
will bind to the ldap server "server.corporation.int" as "vcs" and returns the directory information stored
for the "p.brown" account (which would show information such as group membership).
for the "p.brown" account (which would show information such as group membership).
For more information on ldapsearch, on a system supporting ldapsearch type:
man ldapsearch
Unable to log in after switching to remote
authentication
authentication
Even when remote authentication is selected, the admin login remains accessible using the password
configured on VCS.
configured on VCS.
Check that the LDAP and group settings on the VCS are correct. In particular, check for typing
mistakes and use of spaces – spaces are allowed in group names.
mistakes and use of spaces – spaces are allowed in group names.
AD “Domain Users” group fails to allow login
Default Active Directory groups such as the “Domain Users” group are seen as empty groups over
LDAP and so should not be used as groups to define access rights. If they are selected, VCS will treat
them as groups with no users.
LDAP and so should not be used as groups to define access rights. If they are selected, VCS will treat
them as groups with no users.
Although when browsing in AD the “Domain Users” group is seen to have members (automatically
added), when an LDAP search is performed on it, no member list is provided. VCS uses the LDAP
member list to identify whether a user is a member of the group, and therefore whether that user
should have the access rights of that group.
added), when an LDAP search is performed on it, no member list is provided. VCS uses the LDAP
member list to identify whether a user is a member of the group, and therefore whether that user
should have the access rights of that group.
If a group does not provide access to the expected group of users, use an LDAP browser and check
that there is a member list and that it contains the expected users.
that there is a member list and that it contains the expected users.