Cisco Cisco Expressway Maintenance Manual
Field
Description
Usage tips
Bind DN
The distinguished name (case insensitive) used by the
Expressway when binding to the LDAP server.
Expressway when binding to the LDAP server.
It is important to specify the DN in the order cn=, then
ou=, then dc=
ou=, then dc=
Any special characters within a name
must be escaped with a backslash as per
the LDAP standard (RFC 4514). Do not
escape the separator character between
names.
must be escaped with a backslash as per
the LDAP standard (RFC 4514). Do not
escape the separator character between
names.
The bind account is usually a read-only
account with no special privileges.
account with no special privileges.
Bind
password
password
The password (case sensitive) used by the
Expressway when binding to the LDAP server.
Expressway when binding to the LDAP server.
The maximum plaintext length is 60
characters, which is then encrypted.
characters, which is then encrypted.
SASL
The SASL (Simple Authentication and Security Layer)
mechanism to use when binding to the LDAP server.
mechanism to use when binding to the LDAP server.
None: no mechanism is used.
DIGEST-MD5: the DIGEST-MD5 mechanism is used.
The default is DIGEST-MD5.
Enable Simple Authentication and
Security Layer if it is company policy to do
so.
Security Layer if it is company policy to do
so.
Bind
username
username
Username of the account that the Expressway will use
to log in to the LDAP server (case sensitive).
to log in to the LDAP server (case sensitive).
Only required if SASL is enabled.
Configure this to be the
sAMAccountName; Security Access
Manager Account Name (in AD this is the
account’s user logon name).
sAMAccountName; Security Access
Manager Account Name (in AD this is the
account’s user logon name).
Directory configuration: this section specifies the base distinguished names to use when searching for account
and group names.
and group names.
Base DN for
accounts
accounts
The ou= and dc= definition of the Distinguished Name
where a search for user accounts should start in the
database structure (case insensitive).
where a search for user accounts should start in the
database structure (case insensitive).
It is important to specify the DN in the order ou=, then
dc=
dc=
The Base DN for accounts and groups
must be at or below the dc level (include
all dc= values and ou= values if
necessary). LDAP authentication does not
look into sub dc accounts, only lower ou=
and cn= levels.
must be at or below the dc level (include
all dc= values and ou= values if
necessary). LDAP authentication does not
look into sub dc accounts, only lower ou=
and cn= levels.
Base DN for
groups
groups
The ou= and dc= definition of the Distinguished Name
where a search for groups should start in the
database structure (case insensitive).
where a search for groups should start in the
database structure (case insensitive).
It is important to specify the DN in the order ou=, then
dc=
dc=
If no Base DN for groups is specified,
then the Base DN for accounts will be
used for both groups and accounts.
then the Base DN for accounts will be
used for both groups and accounts.
Checking the LDAP Server Connection Status
The status of the connection to LDAP server is displayed at the bottom of the page.
State = Active
No error messages are displayed.
State = Failed
The following error messages may be displayed:
Error message
Reason / resolution
DNS unable to do reverse lookup
Reverse DNS lookup is required for SASL authentication.
174
Cisco Expressway Administrator Guide