AnsweredAssumed Answered

Problem with LDAP authentication for one user

Question asked by jmakowski on Oct 21, 2013
Latest reply on Nov 6, 2015 by cnuche

Like • Show 0 Likes0
Comment • 6

Hi all.

We have a CUCM 9.1 cluster set up with IMP v9.1.

We set CUCM up with LDAP to Microsoft AD for user synch and authentication. Jabber logs in to IMP through CUCM integration and the CUCM LDAP authentication.

We have one user who cannot log in to Jabber. They get a "Username or Password is incorrect" error. This user CAN log in to the IMP which is set for Single Sign-On via an Open-AM server.

Open-AM is only used for the web services in the IMP server. Jabber cannot use SSO yet.

This user also CANNOT log in to the ccmuser page on CUCM. They get "An LDAP error has occurred".

This user has no problem logging in to their workstation with their AD login and password. They have no problem logging in to their Unity Connection voicemail user page (ciscopca) with their AD username and password.

This problem only seems to affect them authenticating through CUCM (which IMP uses as well).

For other users there is no problem. AD accounts work in all UC applications. It's just this one user.

Their username is long, but not the longest in the company. No special characters or anything. Three of us have looked at the End User account in CUCM and the AD account itself. Absolutely nothing seems amiss with either.

I even removed the End User from "Standard CCM End Users" and "Standard CTI enabled" and then added them back, yet they still cannot log on.

Any suggestions on what to check?

Thanks,

Jim Makowski

Senior Systems Analyst

Mathematica Policy Research, Inc.

No one else has this question

Outcomes

dakeller Oct 23, 2013 4:38 PM

Jim,

Since this is on UCM 9.1, I would recommend opening a TAC case to resolve this issue. But I might be able to offer some guidance. Since it's only this user, that indicates there is something specific to this user that is causing the issue. The Jabber login failure is concerning, but the CCM User page login is the one that worries me more. Are you sure that there is only one user with that name. Can you check that a similar user name is not in the application user list (vs the end user list). Also, if you name a rather innocuous change on LDAP, do you see that change propagated into CUCM? When an LDAP users is synched into CUCM, we keep the LDAP synch info for updates and removal if the synch agreemeent. Also, is the user marked as a local user? Although a local user and LDAP user with the same last name and userid will coalesce into a single LDAP synched user, if there is a name difference, you may have a second user that is being matched against the login attempt.

If this is not the case, I recommend contacting TAC and opening a case to get the issue resolved.

Thanks,

Dan Keller

Technical Marketing Engineer

Actions

jmakowski @ dakeller on Oct 23, 2013 4:59 PM

Dan,

Thanks for responding. There is only one user with this name. There are no similar Application Users and no other even remotely similar End User.

I made an innocuous change (to the Department field) and did a re-sync of AD. The change did propagate to CUCM. The user still cannot log in to Jabber or the CCM User page.

The user is not marked as a Local User, the User Status is "Active LDAP Synchronized User ".

I will open a case with TAC.

Thanks for the guidance though.

Actions

dakeller @ jmakowski on Oct 23, 2013 5:14 PM

Jim,

Yes at this time, there will need to a be a deeper investigation into this specific user to see why the issue persists. I'm sure trace files will need to be checked. Based on what you are indicating, it almost sounds like there is an LDAP config that my prevent the user from logging in, but that does not absolve the UCM from having the issue. If you can update this thread after working with TAC, I would appreciate the update.

Thanks,

Dan Keller

Technical Marketing Engineer

Actions

steve-fall @ dakeller on Nov 4, 2013 8:36 PM

Hi Dan

I have had similar problem with occasional users on CUCM 8.0.3/CUPS 8.6.4

Symptoms

1. User CANNOT log in to Jabber

2. User can log in to CUCM user page (/ccmuser)

3. User can log in to Unity Conn (/ciscopca)

4. User can log in to CUP user options (/cupuser)

5. Examination of LDAP attributes (ldifde dump) shows surname (or other LDAP attribute) has non human readable value (i.e. Txfy=0023nDncY)

Actions

1. Correct the LDAP entry and resync CUCM with LDAP, user still unable to log in to Jabber.

2. Rename the AD user alias (sAMAccountName) and resync CUCM with LDAP, user NOW able to log in to Jabber

2. Rename the AD user alias (sAMAccountName) to the original name and resync CUCM with LDAP, user is still able to log in to Jabber.

This leads me to believe there is something in LDAP that Jabber 4 Windows did not like, even after the obvious value was corrected.

Thanks

Steve Fall

UC Architect

Harman International

Actions

oliverpowell @ jmakowski on Oct 21, 2015 4:18 PM

Hi James,

Did you resolve this issue?

I have a similar issue with one user on a new cluster. All others are fine.

Any update is appreaciated.

Cheers

Oli

Actions

cnuche Nov 6, 2015 12:43 PM

Hi,

First of all, please make sure the user id, first name, last name, etc do not have any special characters.

Next, make sure that none of the values on the user entry or the CCMAdmin user's config page have the string 'href' / 'HREF' or 'eval' / 'EVAL' or 'pkid' / 'PKID' on it, those are reserved word for the system.

HTH.

Christian Nuche.

Cisco TAC

Actions

6 Replies

dakeller Oct 23, 2013 4:38 PM
Mark Correct
Correct Answer
Jim,

Since this is on UCM 9.1, I would recommend opening a TAC case to resolve this issue. But I might be able to offer some guidance. Since it's only this user, that indicates there is something specific to this user that is causing the issue. The Jabber login failure is concerning, but the CCM User page login is the one that worries me more. Are you sure that there is only one user with that name. Can you check that a similar user name is not in the application user list (vs the end user list). Also, if you name a rather innocuous change on LDAP, do you see that change propagated into CUCM? When an LDAP users is synched into CUCM, we keep the LDAP synch info for updates and removal if the synch agreemeent. Also, is the user marked as a local user? Although a local user and LDAP user with the same last name and userid will coalesce into a single LDAP synched user, if there is a name difference, you may have a second user that is being matched against the login attempt.
If this is not the case, I recommend contacting TAC and opening a case to get the issue resolved.

Thanks,
Dan Keller
Technical Marketing Engineer
Like • Show 0 Likes0
Actions
jmakowski @ dakeller on Oct 23, 2013 4:59 PM
Mark Correct
Correct Answer
Dan,

Thanks for responding. There is only one user with this name. There are no similar Application Users and no other even remotely similar End User.

I made an innocuous change (to the Department field) and did a re-sync of AD. The change did propagate to CUCM. The user still cannot log in to Jabber or the CCM User page.

The user is not marked as a Local User, the User Status is "Active LDAP Synchronized User ".

I will open a case with TAC.

Thanks for the guidance though.
Like • Show 0 Likes0
Actions
dakeller @ jmakowski on Oct 23, 2013 5:14 PM
Mark Correct
Correct Answer
Jim,

Yes at this time, there will need to a be a deeper investigation into this specific user to see why the issue persists. I'm sure trace files will need to be checked. Based on what you are indicating, it almost sounds like there is an LDAP config that my prevent the user from logging in, but that does not absolve the UCM from having the issue. If you can update this thread after working with TAC, I would appreciate the update.

Thanks,
Dan Keller
Technical Marketing Engineer
Like • Show 0 Likes0
Actions
steve-fall @ dakeller on Nov 4, 2013 8:36 PM
Mark Correct
Correct Answer
Hi Dan

I have had similar problem with occasional users on CUCM 8.0.3/CUPS 8.6.4

Symptoms

1. User CANNOT log in to Jabber
2. User can log in to CUCM user page (/ccmuser)
3. User can log in to Unity Conn (/ciscopca)
4. User can log in to CUP user options (/cupuser)
5. Examination of LDAP attributes (ldifde dump) shows surname (or other LDAP attribute) has non human readable value (i.e. Txfy=0023nDncY)

Actions

1. Correct the LDAP entry and resync CUCM with LDAP, user still unable to log in to Jabber.
2. Rename the AD user alias (sAMAccountName) and resync CUCM with LDAP, user NOW able to log in to Jabber
2. Rename the AD user alias (sAMAccountName) to the original name and resync CUCM with LDAP, user is still able to log in to Jabber.

This leads me to believe there is something in LDAP that Jabber 4 Windows did not like, even after the obvious value was corrected.

Thanks

Steve Fall
UC Architect
Harman International
Like • Show 0 Likes0
Actions
oliverpowell @ jmakowski on Oct 21, 2015 4:18 PM
Mark Correct
Correct Answer
Hi James,

Did you resolve this issue?
I have a similar issue with one user on a new cluster. All others are fine.

Any update is appreaciated.

Cheers
Oli
Like • Show 0 Likes0
Actions
cnuche Nov 6, 2015 12:43 PM
Mark Correct
Correct Answer
Hi,
First of all, please make sure the user id, first name, last name, etc do not have any special characters.
Next, make sure that none of the values on the user entry or the CCMAdmin user's config page have the string 'href' / 'HREF' or 'eval' / 'EVAL' or 'pkid' / 'PKID' on it, those are reserved word for the system.

HTH.

Christian Nuche.
Cisco TAC
Like • Show 0 Likes0
Actions

Jivefor Cisco - My Cisco Community

Problem with LDAP authentication for one user

Outcomes

Related Content