Cisco Cisco Web Security Appliance S670 User Guide
5-19
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Step 6
(Optional) Enable Group Authorization via group object or user object and complete the settings for the
chosen option accordingly:
chosen option accordingly:
Group Object Setting
Description
Group Membership
Attribute Within Group
Object
Attribute Within Group
Object
Choose the LDAP attribute which lists all users that belong to this group.
Choose one of the following values:
•
member and uniquemember. Unique identifiers in the LDAP
directory that specify group members.
directory that specify group members.
•
custom. A custom identifier such as
UserInGroup
.
Attribute that Contains
the Group Name
the Group Name
Choose the LDAP attribute which specifies the group name that can be
used in the policy group configuration.
used in the policy group configuration.
Choose one of the following values:
•
cn. A unique identifier in the LDAP directory that specifies the name
of a group.
of a group.
•
custom. A custom identifier such as
FinanceGroup
.
Query String to
Determine if Object
is a Group
Determine if Object
is a Group
Choose an LDAP search filter that determines if an LDAP object represents
a user group.
a user group.
Choose one of the following values:
•
objectclass=groupofnames
•
objectclass=groupofuniquenames
•
objectclass=group
•
custom. A custom filter such as
objectclass=person
.
Note: The query defines the set of authentication groups which can be used
in policy groups.
in policy groups.
User Object Setting
Description
Group Membership
Attribute Within
User Object
Attribute Within
User Object
Choose the attribute which list all the groups that this user belongs to.
Choose one of the following values:
•
memberOf. Unique identifiers in the LDAP directory that specify user
members.
members.
•
custom. A custom identifier such as
UserInGroup
.
Group Membership
Attribute is a DN
Attribute is a DN
Specify whether the group membership attribute is a distinguished name
(DN) which refers to an LDAP object. For Active Directory servers, enable
this option.
(DN) which refers to an LDAP object. For Active Directory servers, enable
this option.
When this is enabled, you must configure the subsequent settings.