Cisco VNMC supports two methods to authenticate user logins:
Local to Cisco VNMC
Remote through LDAP
The role and locale assignment for a local user can be changed on Cisco VNMC. The role and locale assignment for a remote user can be changed on LDAP. If any of the following information related to a user is modified, the administrator must delete all the existing sessions of that user so that the new privileges take effect:
the assigned role for a user
the assigned locale for a user
the privilege for a role that is assigned to a user
the organization in a locale that is assigned to a user
Remote Authentication Providers
If a system is configured for the supported remote authentication services, you must create a provider for that service to ensure that Cisco VNMC can communicate with it.
User Accounts in Remote Authentication Services
You can create user accounts in Cisco VNMC or in the remote authentication server.
The temporary sessions for users who log in through remote authentication services can be viewed through the Cisco VNMC GUI.
User Roles and Locales in Remote Authentication Services
If you create user accounts in the remote authentication server, you must ensure that the accounts include the roles and locales those users require for working in Cisco VNMC and that the names of those roles and locales match the names used in Cisco VNMC. If an account does not have the required roles and locales, the user is granted only read-only privileges.
LDAP Attribute for User
In Cisco VNMC, the LDAP attribute that holds the LDAP user
roles and locales are preset. This property is always a name-value pair. For example, by default CiscoAvPair specifies the role and
locale information for the user and if the filter is specified, the LDAP search is restricted to those values that match the defined filter. By default, the filter is sAMAccountName=$userid. The user can change these values to match the setting on the LDAP server. When a user logs in, Cisco VNMC checks for the value of
the attribute when it queries the remote authentication service and
validates the user. The value should be identical to the
An example of LDAP property settings is as follows:
Base DN—DC=cisco, DC=com (The specific location in the LDAP hierarchy where Cisco VNMC will start the query for the LDAP user.)
Creating an LDAP Provider
Before You Begin
Configure users with the attribute that holds the user role and locale information for Cisco VNMC. You can use an existing LDAP attribute that is mapped to the Cisco VNMC user roles and locales or create a custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 220.127.116.11.18.104.22.1687247.1. When you add the LDAP user to the LDAP server, specify the role and locale in the attribute (for example, shell:roles=network,aaa shell:locale=sanjose,dallas)
Configure the properties for the LDAP provider connections in Cisco VNMC.
Navigation pane, click the
Navigation pane, click the
Access Control subtab.
In the Navigation pane, select the LDAP node.
In the Work pane, click the Create LDAP Provider link.
In the Create LDAP Provider dialog box, complete the following fields :
Hostname/IP Address field
The hostname or IP address of the LDAP provider.
If SSL is enabled, this field must match a Common Name (CN) in the security certificate of the LDAP database.
If you use a hostname rather than an IP address, you must configure a DNS server in the Cisco VNMC server.
The password for the LDAP database account specified in the Root DN field.
The maximum is 32 characters.
Root DN field
The Distinguished Name (DN) for an LDAP database account that has read and search permissions for all objects under the base DN.
The maximum supported string length is 128 characters.
The port through which Cisco VNMC communicates with the LDAP database.
The standard port number is 389.
Enable SSL check box
The check box to enable SSL.
Depending upon the object you select in the table, different options will appear in the area above the table.
In the Work pane, click Save.
Following is an example of creating an LDAP provider: