Contents

Configuring the Active Directory Server

This chapter includes the following sections:

Creating an Organizational Unit and Adding Groups

Organizational units (OUs) in the AD server contain AD groups that map to user roles in Cisco UCS. For every role maintained in AD, you must have the same role configured in Cisco UCS.


Note
Maintaining matching role names in both AD and Cisco UCS is a requirement for integration.
Procedure
    Step 1   Open Active Directory Users and Computers.
    Step 2   Right-click the AD instance, sampledesign.com, and select New > Organizational Unit.
    Step 3   For Name, type CiscoUCS.
    Step 4   Create a new group called ucsaaa and assign it to the newly created CiscoUCS OU:
    1. Right-click the new CiscoUCS OU and select New > Group.
    2. In the New Object - Group dialog box, type ucsaaa in the Group name field.
    3. In the Group scope area, click the Global radio button.
    4. In the Group type area, click the Security radio button and click OK.
    Step 5   Repeat Step 4 for each of the following roles:

    • ucsaaa

    • ucsadmin

    • ucsnetwork

    • ucsoperation

    • ucsecurity

    • ucstorage

    What to Do Next

    Create a non-admin bind user and add it to the CiscoUCS OU.

    Creating a Non-Admin Bind User Account

    Cisco UCS uses the non-admin bind user account to regularly check which groups the user is included in within the AD server.


    Note

    To prevent unnecessary authentication errors, we recommend that this account be set up with a non-expiring password.

    If you already have a non-admin user account in the AD server that can be used by Cisco UCS to authenticate users, then it is not necessary to create a new non-admin bind user account. You can skip this task and move on to creating sample users and adding them to the Cisco UCS OU.
    Procedure
      Step 1   Right-click the CiscoUCS OU and select New > User.
      Step 2   For First name, type ucs.
      Step 3   Leave the Initials field blank.
      Step 4   For Last name, type binduser.
      Step 5   For User logon name, type ucsbind, select the UPN suffix in the drop-down list, and click Next.

      A user account called ucsbind appears in the CiscoUCS OU.

      What to Do Next

      Create sample users and add them to the CiscoUCS OU.

      Creating Users and Adding Them to the CiscoUCS OU

      Procedure
        Step 1   Right-click CiscoUCS and select New > User.
        Step 2   For First name, type sample.
        Step 3   For Last name. type admin.
        Step 4   For Full name, type sampleadmin.
        Step 5   For User logon name, type sampleadmin, select the UPN suffix from the drop-down list, and click Next.
        Step 6   In the work pane, right-click the sampleadmin user and click Properties.
        Step 7   Click the MemberOf tab, and click Add.
        Step 8   In the Enter the object names to select field of the Select Groups dialog box, type ucsadmin and click OK.
        Step 9   Click OK again to close the Sample Admin Properties dialog box.
        Step 10   (Optional)Repeat Steps 1 through 9 to create the following users:

        • sampleaaa

        • samplenetwork

        • sampleoperation

        • samplesecurity

        • samplestorage

        What to Do Next

        Collect information needed for the Cisco UCS LDAP configuration.

        Collecting Information for the UCS LDAP Configuration

        To configure LDAP and multiple simultaneous authorizations in Cisco UCS Manager, you need to access several values from the AD server. This example uses ADSI Edit, a free third-party utility, to find the required values.

        Before You Begin

        Install and configure ADSI Edit.

        Procedure
          Step 1   Open ADSI Edit and navigate to DC=sampledesign,DC=com.

          This is the BaseDN folder.

          Step 2   To find the BaseDN values required by Cisco UCS Manager to configure LDAP authentication, complete the following steps:
          1. Right-click the DC=sampledesign,DC=com instance and choose Properties.
          2. On the Attribute Editor tab, select distinguishedName.
          3. In the String Attribute Editor dialog box, select and copy the string in the Value field.

            The BaseDN value follows the DC=sampledesign,DC=com format.

          4. Paste the BaseDN value string into a text file for later use.
          Step 3   To find the DN for each role that you have added to the CiscoUCS OU in AD, complete the following steps:
          1. Expand the CiscoUCS OU, right-click the CN=ucsadmin role, and choose Properties.
          2. On the Attribute Editor tab, select distinguishedName.
          3. In the String Attribute Editor dialog box, select and copy the string in the Value field.

            It should follow the CN=ucsadmin,OU=CiscoUCS,DC=sampledesign,DC=com format.

          4. Paste the DN value string into a text file for later use.
          5. Repeat these steps for each AD group in the CiscoUCS OU.
          Step 4   To find the BindDN for the non-admin bind user account, complete the following steps:
          1. Navigate to the user account named ucsbind.
          2. Right-click the ucsbind user account in the CiscoUCS OU and choose Properties.
          3. On the Attribute Editor tab, select distinguishedName.
          4. In the String Attribute Editor dialog box, select and copy the string in the Value field.

            The BindDN should follow the CN=ucsbind,OU=CiscoUCS,DC=sampledesign,DC=com format.

          5. Paste the BindDN value string into a text file for later use.
          Step 5   On the Attribute Editor tab, verify that the sAMAccountName attribute exists.
          What to Do Next

          Configure Cisco UCS using these values.

          Configuring the Active Directory Server

          Configuring the Active Directory Server

          This chapter includes the following sections:

          Creating an Organizational Unit and Adding Groups

          Organizational units (OUs) in the AD server contain AD groups that map to user roles in Cisco UCS. For every role maintained in AD, you must have the same role configured in Cisco UCS.


          Note
          Maintaining matching role names in both AD and Cisco UCS is a requirement for integration.
          Procedure
            Step 1   Open Active Directory Users and Computers.
            Step 2   Right-click the AD instance, sampledesign.com, and select New > Organizational Unit.
            Step 3   For Name, type CiscoUCS.
            Step 4   Create a new group called ucsaaa and assign it to the newly created CiscoUCS OU:
            1. Right-click the new CiscoUCS OU and select New > Group.
            2. In the New Object - Group dialog box, type ucsaaa in the Group name field.
            3. In the Group scope area, click the Global radio button.
            4. In the Group type area, click the Security radio button and click OK.
            Step 5   Repeat Step 4 for each of the following roles:

            • ucsaaa

            • ucsadmin

            • ucsnetwork

            • ucsoperation

            • ucsecurity

            • ucstorage

            What to Do Next

            Create a non-admin bind user and add it to the CiscoUCS OU.

            Creating a Non-Admin Bind User Account

            Cisco UCS uses the non-admin bind user account to regularly check which groups the user is included in within the AD server.


            Note

            To prevent unnecessary authentication errors, we recommend that this account be set up with a non-expiring password.

            If you already have a non-admin user account in the AD server that can be used by Cisco UCS to authenticate users, then it is not necessary to create a new non-admin bind user account. You can skip this task and move on to creating sample users and adding them to the Cisco UCS OU.
            Procedure
              Step 1   Right-click the CiscoUCS OU and select New > User.
              Step 2   For First name, type ucs.
              Step 3   Leave the Initials field blank.
              Step 4   For Last name, type binduser.
              Step 5   For User logon name, type ucsbind, select the UPN suffix in the drop-down list, and click Next.

              A user account called ucsbind appears in the CiscoUCS OU.

              What to Do Next

              Create sample users and add them to the CiscoUCS OU.

              Creating Users and Adding Them to the CiscoUCS OU

              Procedure
                Step 1   Right-click CiscoUCS and select New > User.
                Step 2   For First name, type sample.
                Step 3   For Last name. type admin.
                Step 4   For Full name, type sampleadmin.
                Step 5   For User logon name, type sampleadmin, select the UPN suffix from the drop-down list, and click Next.
                Step 6   In the work pane, right-click the sampleadmin user and click Properties.
                Step 7   Click the MemberOf tab, and click Add.
                Step 8   In the Enter the object names to select field of the Select Groups dialog box, type ucsadmin and click OK.
                Step 9   Click OK again to close the Sample Admin Properties dialog box.
                Step 10   (Optional)Repeat Steps 1 through 9 to create the following users:

                • sampleaaa

                • samplenetwork

                • sampleoperation

                • samplesecurity

                • samplestorage

                What to Do Next

                Collect information needed for the Cisco UCS LDAP configuration.

                Collecting Information for the UCS LDAP Configuration

                To configure LDAP and multiple simultaneous authorizations in Cisco UCS Manager, you need to access several values from the AD server. This example uses ADSI Edit, a free third-party utility, to find the required values.

                Before You Begin

                Install and configure ADSI Edit.

                Procedure
                  Step 1   Open ADSI Edit and navigate to DC=sampledesign,DC=com.

                  This is the BaseDN folder.

                  Step 2   To find the BaseDN values required by Cisco UCS Manager to configure LDAP authentication, complete the following steps:
                  1. Right-click the DC=sampledesign,DC=com instance and choose Properties.
                  2. On the Attribute Editor tab, select distinguishedName.
                  3. In the String Attribute Editor dialog box, select and copy the string in the Value field.

                    The BaseDN value follows the DC=sampledesign,DC=com format.

                  4. Paste the BaseDN value string into a text file for later use.
                  Step 3   To find the DN for each role that you have added to the CiscoUCS OU in AD, complete the following steps:
                  1. Expand the CiscoUCS OU, right-click the CN=ucsadmin role, and choose Properties.
                  2. On the Attribute Editor tab, select distinguishedName.
                  3. In the String Attribute Editor dialog box, select and copy the string in the Value field.

                    It should follow the CN=ucsadmin,OU=CiscoUCS,DC=sampledesign,DC=com format.

                  4. Paste the DN value string into a text file for later use.
                  5. Repeat these steps for each AD group in the CiscoUCS OU.
                  Step 4   To find the BindDN for the non-admin bind user account, complete the following steps:
                  1. Navigate to the user account named ucsbind.
                  2. Right-click the ucsbind user account in the CiscoUCS OU and choose Properties.
                  3. On the Attribute Editor tab, select distinguishedName.
                  4. In the String Attribute Editor dialog box, select and copy the string in the Value field.

                    The BindDN should follow the CN=ucsbind,OU=CiscoUCS,DC=sampledesign,DC=com format.

                  5. Paste the BindDN value string into a text file for later use.
                  Step 5   On the Attribute Editor tab, verify that the sAMAccountName attribute exists.
                  What to Do Next

                  Configure Cisco UCS using these values.