VPLEX: MMCS/Management-Server shows wrong user after successful LDAP login

Summary: The purpose of this article is to address Lightweight Directory Access Protocol (LDAP) login issues to the UNIX/Linux shell on an MMCS (VS6) or Management-Server (VS2). Upon successful LDAP login, the shown user is different than the user whose credentials were entered. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Management-Server or MMCS shows wrong user after successful LDAP login.

Assumptions:

  • End user is using Windows Server 2008 / 2012 / 2016 Active Directory (AD) for LDAP authentication.
  • End user already has a working LDAP configuration where Active Directory user accounts can authenticate using LDAP to log in to the VPLEX.
  • Management-Server/MMCS settings have provided 'vplexuser' role-based access type account with shell access. Typically, LDAP users for VPLEX access have the default role 'vplexuser' assigned.

    Note: This information is covered in more detail in the "VPLEX GeoSynchrony [version] Administration Guide" with instructions on how to enable shell access for role vplexuser under the section titled "Managing User Accounts", under the subsection "View or modify user account details". The "VPLEX Security Configuration Guide" provides more information about assigning roles and permissions using Role-base access.


Example:

login as: john.smith
Keyboard-interactive authentication prompts from server:
Password:
jane.doe@ManagementServer:~ whoami
jane.doe

Note: In the example above the end user attempts to log in to the VPLEX using AD user "john.smith". However, upon successful login, the user account is switched to "jane.doe" which is not the expected behavior. The expected output should have listed "john.smith" instead of "jane.doe".

Cause

There are existing duplicate values (non-unique) for the object attribute "uidNumber" in one or more Active Directory (AD) user accounts. As a result, this causes the authenticated user to switch to the first AD account having listed the "uidNumber".

Resolution

Ensure that the AD user accounts have a unique value set for uidNumber and gidNumber such that any other AD user account on the domain does not have the same uidNumber or gidNumber.

A uidNumber and gidNumber may have the same ID, but since the ID is set in different attributes, there is no conflict on the AD user account.

Additional Information

The UNIX/Linux command 'ldapsearch' can be useful for troubleshooting AD user account attributes to determine what values are being presented for the object attributes uidNumber and gidNumber so that duplicate values can be checked for and corrected as needed.
 

Usage: ldapsearch -x -LLL -h <IP Address of LDAP Server> -b "<Base DN>" -D "<Bind DN>" -W "(cn=User Name)" uidNumber gidNumber



Unsuccessful
LDAP Login



 

  Unsuccessful LDAP authentication to the VPLEX using existing AD account "john.smith" but upon successful login, it shows a different user "jane.doe" when logged in.

Example:
login as: john.smith
Keyboard-interactive authentication prompts from server
Password:
jane.doe@ManagementServer:~> whoami
jane.doe
Successful
LDAP Login
 		   Successful LDAP authentication to the VPLEX using existing AD account "johnny.appleseed" which upon successful login displays the correct user.
 
Example:
login as: johnny.appleseed
Using keyboard-interactive authentication.
Password:
johnny.appleseed@ManagementServer:~>whoami
johnny.appleseed
Running ldapsearch
 		   Running ldapsearch on existing AD account "john.smith" shows that uidNumber and gidNumber are both set to 10000.
 
Example:
service@ManagementServer:~> ldapsearch -x -LLL -h 192.168.100.200 -b "DC=vplexlab,DC=com" -D "CN=VPLEX Bind,OU=VPLEXLAB Accounts,DC=vplexlab,DC=com" -W "(cn=John Smith)" uidNumber gidNumber
Enter LDAP Password:
dn: CN=John Smith,OU=Users,OU=VPLEXLAB Accounts,DC=vplexlab,DC=com
uidNumber: 10000
gidNumber: 10000
service@ManagementServer:~>

Running ldapsearch on existing AD account "jane.doe" shows that uidNumber and gidNumber are both set to 10000, which contain duplicate values for uidNumber and gidNumber from the existing AD account "john.smith".
 
Example:
service@ManagementServer:~> ldapsearch -x -LLL -h 192.168.100.200 -b "DC=vplexlab,DC=com" -D "CN=VPLEX Bind,OU=VPLEXLAB Accounts,DC=vplexlab,DC=com" -W "(cn=Jane Doe)" uidNumber gidNumber
Enter LDAP Password:
dn: CN=Jane Doe,OU=Users,OU=VPLEXLAB Accounts,DC=vplexlab,DC=com
uidNumber: 10000
gidNumber: 10000
service@ManagementServer:~>

Running ldapsearch on existing AD account "johnny.appleseed" shows that uidNumber and gidNumber are both set to 10025, which is uniquely different from AD accounts "john.smith" and "jane.doe" and from other AD accounts.
 
Example:
service@ManagementServer:~> ldapsearch -x -LLL -h 192.168.100.200 -b "DC=vplexlab,DC=com" -D "CN=VPLEX Bind,OU=VPLEXLAB Accounts,DC=vplexlab,DC=com" -W "(cn=Johnny Appleseed)" uidNumber gidNumber
Enter LDAP Password:
dn: CN=Johnny Appleseed,OU=Users,OU=VPLEXLAB Accounts,DC=vplexlab,DC=com
uidNumber: 10025
gidNumber: 10025
service@ManagementServer:~>



See the following external Oracle article for more information regarding an LDAP overview:


See the following external article for more information regarding UNIX user object attributes for uidNumber and gidNumber:


See the following external article for more information and examples of usage regarding the Linux/UNIX command ldapsearch:


See the following external MS article for more information regarding Active Directory Schema:


See the following external article for more information about how to create Active Directory user accounts:

Affected Products

VPLEX Series

Products

VPLEX for All Flash, VPLEX Series, VPLEX VS2, VPLEX VS6
Article Properties
Article Number: 000170875
Article Type: Solution
Last Modified: 23 Oct 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.