08-30-2016 06:41 AM
I am encountering a strange LDAP authentication failure, which I am hoping someone can help me with. ;c) I have a number of Fabriics running 6520s and 5300s all on FOS 7.2.1d. A couple of weeks ago, I noticed that my LDAP account was failing to authorize on five or six single switches out of approx 38. Previously they were working well. After some diagnosis I discovered that these switches with two LDAP servers configured were refusing connection. When I remove either, then access is regained!! Changing the time-out value appears to have no effect.
Speaking to the Wintel, and Network team they say nothing has changed! Has anyone experienced anything similar??
08-31-2016 12:18 AM
Before you lose the switch access, no change has been done on IP network, none on switches (FOS upgrade or configuration change), nor on the LDAP servers?
Does the second LDAP server is still alive and working?
Does both single LDAP servers configured into the switch allow to access?
08-31-2016 04:40 AM
Thanks for the help in this. ;c) It is really strane. Nothing was changed to the switches, FOS or similar, and I am told nothing was changed on the Network, or with regards the LDAP servers. Yes both LDAP servers servers work when they are singularly activated, and bizarrely on most of the switches both work OK. It just seems to be a about five switches. I am currently going through the entire config to see if there are any differences, but so far I can see nothing.
Do you know if there is a log anywhere which details why the authentication has failed?? I can find nothing in the err log.
08-31-2016 11:45 PM
Basics logs are in the switch for LDAP. Also LDAP server logs may help for check any anomalies.
Some external tools as Wireshark exist but because the exchange between the Brocade product and the LDAP server occurs over an encrypted session, so analysis is limited.
09-01-2016 05:05 PM
I don't know a lot about the Wintel side, but never heard anything good about LDAP and Wintel AD. Go back to your Wintel AD guys and ask if they had a 'security' patch release installed. Probably changed one of the LDAP APIs and crapped up the directory access. AD was Wintels attempt to corner the market on sec authentication. Sigh,,,,
Best of luck.