LDAP group mapping eliminates the requirement to define role or locale information in the LDAP user object. The UCS Manager can use group membership information to assign a role or locale to an LDAP user during login for organizations using LDAP groups to restrict access to LDAP databases.
When a user logs in to the Cisco UCS Manager, the LDAP group map pulls information about the user’s role and locale. If the role and locale criteria match the information in the policy, access is granted. The Cisco UCS Manager supports a maximum of 28, 128, or 160 LDAP group maps depending on the release version.
Note
Cisco UCS Manager Release 3.1(1) supports a maximum of 128 LDAP group maps, and Release 3.1(2) and later support a maximum of 160 LDAP group maps.
The role and locale definitions that you configure locally in the Cisco UCS Manager do not update automatically based on changes to an LDAP directory. When deleting or renaming LDAP groups in an LDAP directory, you must also update the Cisco UCS Manager with the change.
You can configure an LDAP group map to include any of the following combinations of roles and locales:
Roles only
Locales only
Both roles and locales
For example, consider an LDAP group representing a group of server administrators at a specific location. The LDAP group map might include user roles such as server profile and server equipment. To restrict access to server administrators at a specific location, you can set the locale to a particular site name. The following scenario shows how to create and delete the LDAP group map.
Note
The Cisco UCS Manager includes out-of-the-box user roles but does not include any locales. Mapping an LDAP provider group to a locale requires that you create a custom locale.
This example shows step by step how to create and delete LDAP group maps. Before adding an LDAP group map, you need to configure the LDAP server. The LDAP server configuration requirements are as follows:
Create an LDAP group in the LDAP server.
Configure the distinguished name for the LDAP group in the LDAP server.
Create locales in the Cisco UCS Manager (optional).
Create custom roles in the Cisco UCS Manager (optional).
After configuring the LDAP server, follow these steps to create an LDAP group mapping:
Step 1. In the Navigation pane, click Admin.
Step 2. Expand All > User Management > LDAP.
Step 3. Right-click LDAP Group Maps and choose Create LDAP Group Map. Step 4. In the Create LDAP Group Map dialog box, specify all LDAP group map information as appropriate