For organizations that
use LDAP groups to restrict access to LDAP databases,
Cisco UCS domains can use group membership information to assign a role or
locale to an LDAP user during login. This eliminates the need to define roles
or locale information in the LDAP user object when
Cisco UCS Central deploys.
Cisco UCS Central uses LDAP group rule to determine LDAP groups when assigning user
roles and locales to a remote user. When a user logs in,
Cisco UCS Central retrieves information about the user's role and locale from the
LDAP group map. If the role and locale criteria match the information in the
Cisco UCS Central provides access to the user.
The number of LDAP
group maps you can define depends upon the version of
Cisco UCS Manager.
You can nest LDAP
group maps up to as many levels as the Windows Active Directory supports for
Cisco UCS Central. When you assign a provider to a nested group, even if the
provider is a member of a different LDAP group, they become an authenticated
member of the parent nested group. During authentication,
Cisco UCS Central tries all of the providers within a provider group in order. If
Cisco UCS Central cannot reach all of the configured servers, it automatically falls
back to the local authentication method using the local username and password.
Role and locale
definitions are configured locally in
Cisco UCS Central and do not update automatically based on changes to an LDAP
directory. If you delete or rename LDAP groups in the LDAP directory, make sure
to update the changes in
Cisco UCS Central.
You can configure an
LDAP group map to include any of the following combinations of roles and
Roles and locales
For example, if you
want to configure authentication for an LDAP group representing a group of
server administrators at a specific location, you can include user roles such
as server-profile and server-equipment to the LDAP group. If you want to
restrict access to server administrators at a specific location, you can
specify locales with specific site names.
Cisco UCS Central includes many out-of-the-box user roles but does not include any
locales. You must create a custom locale to map an LDAP provider group to a