Cannot login LDAP user to Director

Article Id: 169934
Status: Published
Updated On: 27-08-2018 08:58
Legacy Id: TECH247204
Products:
Director
Issue/Introduction:

An LDAP user is created corrected on Director CLI using command

#ldap-server

It has been enabled, pivilege assigned and configuration saved.

The LDAP user configured on Director matches exactly the settings it has on the Active Directory itself.

However, when trying to login LDAP user to Director even using SSH-Simple,
we get the Java window with Director menu options showing on top but then,
we get an error to connect.



Other LDAP users can connect fine, so the issue is not Director to AD connectivity. Unable to connect to Director
<Director hostname or IP address>
Reason: Could not connect to <Director hostname or IP address>

Cause:

Director has a limit of 16 characters when it comes to LDAP usernames. This may not
have been highlighted in existing documentation. It can contains dots '.' no issue
with this.
 

Environment:

The LDAP user that is failing is long (more than 16 characters long), while the other LDAP usernames that are working are short (16 characters or less).

Resolution:

There are 2 possible solutions to this:

1. Create new LDAP user on AD first, which is 16 characters or less in length and
define/use that on Director.

(config)# ldap-server username <username> userprincipalname <userprincipalname>

where, userprincipalname is a user attribute that is specified in the Active
Directory server; this attribute uniquely identifies a user across multiple
domains and in AD it is typically the name of a user in an e-mail address
format.

(config)# ldap-server username <username> userprincipalname <userprincipalname> enable

(config)# ldap-server username <username> userprincipalname <userprincipalname> privilege {1 | 7 | 15}

(config)# write memory

Note: Refer to Director Configuration and Management Guide for more information on how to do this, especially if you wanted to include Delegated Admin users and user groups, as well:

https://support.symantec.com/content/unifiedweb/en_US/article.DOC10075.html

section "(Optional) Enable and Authorize Access for Each AD User on the Director"

2. Create a local user instead for that user if AD modification is not possible.
Please note that local users have a limit of 8 alphanumeric characters.

Director GUI -> Actions -> Configure User