Note: As of MC 18.104.22.168, we now have the ability to take pcaps in Management Center. Please upgrade to Management Center 22.214.171.124 at a minimum and take pcaps while reproducing the issue which will help in troubleshooting issues logging in and connecting to LDAP servers.
In Management Center there are 2 options for setting up LDAP.
Each of these options offer different advantages. LDAP is meant for fine tuning where Active Directory LDAP is meant for simple setups. Asking a few questions which should give which option to select.
The above three questions will give the reason for using LDAP or Active Directory LDAP. So if answer is a hard YES for question 2 and others are yes or preferred then you want to use LDAP. The reason for this is Active Directory LDAP will use the user who is logging in as the bind user and it will query the whole domain. If this is not preferred, then the option is to use LDAP instead. Lets go through each option.
Note only to configure AD LDAP or LDAP, never configure both or it will break things in MC. Only configure one or the other, but never both!
Only recommended for small environments because delays can occur for large environments as MC will search the entire domain when enabled.
Remember with this option Management Center will query the whole domain and the bind request will be made with the user who is logging into Management Center.
The way to setup LDAP is configure the basic settings first to get it working. Once that is working, then lock it down further and customize it to your needs. The way Management Center works is the basic requirements are the following:
At this point leave everything else as default as outlined in the example, Default is everything not in the red box:
Then try to login as a user. If the user fails to login then please make sure the login domain and the DC domain are similar as its most likely failing at trying to get to the DC or the DC not allowing the bind of that user. The following logs will be helpful in troubleshooting:
You should see a Kerberos error which should point to the problem. In all locations you should see a failure which should explain the problem. From here you can change the settings to meet those needs. Failing this you will have to use LDAP as you have a multi layer domain which requires deeper level configuration which can only be done in the LDAP settings page. Lets say the above settings work. What Management Center will do is once an LDAP user logs in, it will create that user under Users. By default it will only have view only rights. From here the Management Center Admin can go in and assign this user any role or customize it. From here you have the following options to further customize Active Directory LDAP settings:
Lets say 'User must have permission' to login is selected. What Management Center will do is when the user tries to login, they will get an error saying you don't have permissions to login. From here the Management Center Admin has to login and assign this user the appropriate role. As an alternate what you can do is use the 'Sync the group membership' option. For this to work the group in Active Directory and Management Center must match exactly for this to work. Once you create the group in Management Center, you can assign it to a particular permission role to give it permissions and which ever user is part of this group will get that permission. Role attribute works the exact same way. The only difference is the attribute has to be a string attribute. For example the Department field in the user properties in Active Directory.
LDAP can be used for Microsoft Active Directory or another LDAP server.
LDAP settings and Active Directory settings are similar for the most part so I will recommend you read above for the meaning of the same options. The nice part about LDAP settings vs Active Directory LDAP settings is here we can specify exactly where to search in the Active Directory domain tree instead of going to the root.
With all the above configured with your LDAP specific information, Management Center should now be able to use LDAP for Admin log in.