Configuring Cisco UCS

This chapter includes the following sections:

Creating a Local Authentication Domain

This sample configuration recommends that you create a local authentication domain before you configure LDAP settings in Cisco UCS Manager. Logging in as a local admin user guarantees that you will have the access rights required to complete the steps in this procedure, and could prevent you from having to spend time correcting an invalid configuration.

Before You Begin

Log into Cisco UCS Manager GUI as an admin user.

Procedure
    Step 1   In the Navigation pane, click the Admin tab.
    Step 2   On the Admin tab, expand All > User Management > Authentication.
    Step 3   Right-click Authentication Domains and select Create a Domain.
    Step 4   For the Name field, type local.
    Step 5   For the Realm, click the local radio button.
    Step 6   Click OK.
    What to Do Next

    Configure LDAP properties in Cisco UCS Manager.

    Creating an LDAP Provider

    This sample configuration does not include steps to configure LDAP with SSL.

    Procedure
      Step 1   In the Navigation pane, click the Admin tab.
      Step 2   On the Admin tab, expand All > User Management > LDAP.
      Step 3   In the Work pane, click the General tab.
      Step 4   In the Actions area, click Create LDAP Provider.
      Step 5   In the Create LDAP Provider page of the wizard, do the following:
      1. In the Hostname field, type the IP address or the hostname of the AD server.
      2. In the Order field, accept the lowest-available default.
      3. In the BindDN field, copy and paste the BindDN from your AD configuration.

        For this sample configuration, the BindDN value is CN=ucsbind,OU=CiscoUsers,DC=sampledesign,DC=com.

      4. In the BaseDN field, copy and paste the BaseDN from your AD configuration.

        For this sample configuration, the BaseDN value is DC=sampledesign,DC=com.

      5. Leave the Enable SSL check box unchecked.
      6. In the Port field, accept the 389 default.
      7. In the Filter field, copy and paste the filter attribute from your AD configuration.

        Cisco UCS uses the filter value to determine if the user name provided on the logon screen by Cisco UCS Manager is in AD.

        For this sample configuration, the filter value is sAMAccountName=$userid, where $userid is the user name you enter in the Cisco UCS Manager logon screen.

      8. Leave the Attribute field blank.
      9. In the Password field, type the password for the ucsbind account configured in AD.

        If you ever need to go back into the Create LDAP Provider wizard to reset the password, do not be alarmed if the password field is blank. The "Set: yes" message that appears next to the password field indicates that a password has been set.

      10. In the Confirm Password field, retype the password for the ucsbind account configured in AD.
      11. In the Timeout field, accept the 30 default.
      12. In the Vendor field, select the radio button for MS-AD for Microsoft Active Directory.
      Step 6   Click Next.
      What to Do Next

      Configure the LDAP Group Rule.

      Configuring the LDAP Group Rule

      Procedure
        Step 1   On the LDAP Group Rule page of the wizard, complete the following fields:
        1. For the Group Authentication field, click the enable radio button.

          Enabling group authentication indicates to UCSM that it should use the target attribute (in this example, memberOf) to see if the user you are trying to authenticate is in a group like ucsaaa.

        2. For the Group Recursion field, click the recursive radio button.

          Setting group recursion to recursive allows the system to continue digging down, level by level, until it finds a qualifying user. Setting the group recursion to non-recursive limits UCS to a search of the first-level, even if the search does not locate a qualified user.

        3. In the Target Attribute field, accept the memberOf default.
        Step 2   Click Finish.
        Note   

        In a real-world scenario you would most likely have multiple LDAP providers. For multiple LDAP providers, you would repeat the steps to configure the LDAP Group Rule for each LDAP provider, changing the order as warranted for your configuration. However, in this sample configuration there is only one LDAP provider, so this is not necessary.

        The IP address for the AD server displays in the Navigation pane under LDAP > LDAP Providers.

        What to Do Next

        Create an LDAP Provider Group.

        Creating an LDAP Provider Group

        Procedure
          Step 1   In the Navigation pane, right-click LDAP Provider Groups and select Create LDAP Provider Group.
          Step 2   In the Create LDAP Provider Group dialog box, do the following:
          1. In the Name field, enter a unique name for the group such as LDAP Providers.
          2. In the LDAP Providers table, choose the IP address for your AD server.
          3. Click the >> button to add the AD server to your Included Providers table.
          Step 3   Click OK.

          Your provider group appears in the LDAP Provider Groups folder.

          What to Do Next

          Configure LDAP Group Maps.

          Creating an LDAP Group Map

          Procedure
            Step 1   In the Navigation pane, click the Admin tab.
            Step 2   On the Admin tab, expand All > User Management > LDAP.
            Step 3   In theWork pane, click Create LDAP Group Map.
            Step 4   In the Create LDAP Group Map dialog box, complete the following:
            1. In the LDAP Group DN field, copy and paste the value you saved from the AD server configuration section for your LDAP group.

              The LDAP Group DN value requested in this step maps to the distinguished name for each of the groups you created in AD under UCS Groups. For this reason, the Group DN value entered in Cisco UCS Manager must match exactly with the Group DN value in the AD server. In this sample configuration, this value is CN=ucsadmin,OU=CiscoUCS,DC=sampledesign,DC=com.

            2. In the Roles table, click the admin check box and click OK.

              Clicking the check box for a role indicates that you want to assign admin privileges to all users who are included in the group map.

            Step 5   Create new LDAP group maps (using the information you recorded earlier from AD) for each of the remaining roles in the AD server that you want to test.
            What to Do Next

            Create your LDAP authentication domain.

            Creating an LDAP Authentication Domain

            Procedure
              Step 1   On the Admin tab, expand All > User Management > Authentication.
              Step 2   Right-click Authentication Domains and select Create a Domain.
              Step 3   In the Create a Domain dialog box, complete the following:
              1. In the Name field, type a name for your domain such as LDAP.
              2. In the Realm area, click the ldap radio button.
              3. From the Provider Group drop-down list, select the LDAP provider group previously created and click OK.

              The authentication domain appears under Authentication Domains.

              What to Do Next

              Test your LDAP configuration using the Cisco UCS Manager GUI.