ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Cannot login LDAP user to Director
Article ID: 169934
Updated On:
Products
Director
Issue/Introduction
An LDAP user is created corrected on Director CLI using command
#ldap-server
It has been enabled, pivilege assigned and configuration saved.
The LDAP user configured on Director matches exactly the settings it has on the Active Directory itself.
However, when trying to login LDAP user to Director even using SSH-Simple,
we get the Java window with Director menu options showing on top but then,
we get an error to connect.
Other LDAP users can connect fine, so the issue is not Director to AD connectivity. Unable to connect to Director
<Director hostname or IP address>
Reason: Could not connect to <Director hostname or IP address>
#ldap-server
It has been enabled, pivilege assigned and configuration saved.
The LDAP user configured on Director matches exactly the settings it has on the Active Directory itself.
However, when trying to login LDAP user to Director even using SSH-Simple,
we get the Java window with Director menu options showing on top but then,
we get an error to connect.
Other LDAP users can connect fine, so the issue is not Director to AD connectivity. Unable to connect to Director
<Director hostname or IP address>
Reason: Could not connect to <Director hostname or IP address>
Cause
Director has a limit of 16 characters when it comes to LDAP usernames. This may not
have been highlighted in existing documentation. It can contains dots '.' no issue
with this.
have been highlighted in existing documentation. It can contains dots '.' no issue
with this.
Environment
The LDAP user that is failing is long (more than 16 characters long), while the other LDAP usernames that are working are short (16 characters or less).
Resolution
There are 2 possible solutions to this:
1. Create new LDAP user on AD first, which is 16 characters or less in length and
define/use that on Director.
(config)# ldap-server username <username> userprincipalname <userprincipalname>
where, userprincipalname is a user attribute that is specified in the Active
Directory server; this attribute uniquely identifies a user across multiple
domains and in AD it is typically the name of a user in an e-mail address
format.
(config)# ldap-server username <username> userprincipalname <userprincipalname> enable
(config)# ldap-server username <username> userprincipalname <userprincipalname> privilege {1 | 7 | 15}
(config)# write memory
Note: Refer to Director Configuration and Management Guide for more information on how to do this, especially if you wanted to include Delegated Admin users and user groups, as well:
https://support.symantec.com/content/unifiedweb/en_US/article.DOC10075.html
section "(Optional) Enable and Authorize Access for Each AD User on the Director"
2. Create a local user instead for that user if AD modification is not possible.
Please note that local users have a limit of 8 alphanumeric characters.
Director GUI -> Actions -> Configure User
1. Create new LDAP user on AD first, which is 16 characters or less in length and
define/use that on Director.
(config)# ldap-server username <username> userprincipalname <userprincipalname>
where, userprincipalname is a user attribute that is specified in the Active
Directory server; this attribute uniquely identifies a user across multiple
domains and in AD it is typically the name of a user in an e-mail address
format.
(config)# ldap-server username <username> userprincipalname <userprincipalname> enable
(config)# ldap-server username <username> userprincipalname <userprincipalname> privilege {1 | 7 | 15}
(config)# write memory
Note: Refer to Director Configuration and Management Guide for more information on how to do this, especially if you wanted to include Delegated Admin users and user groups, as well:
https://support.symantec.com/content/unifiedweb/en_US/article.DOC10075.html
section "(Optional) Enable and Authorize Access for Each AD User on the Director"
2. Create a local user instead for that user if AD modification is not possible.
Please note that local users have a limit of 8 alphanumeric characters.
Director GUI -> Actions -> Configure User
Attachments
Feedback
Yes
No
Powered by
