Cisco Cisco Web Security Appliance S670 User Guide
5-20
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Step 7
(Optional) Configure external LDAP authentication for users
a.
Select External Authentication Queries.
b.
Identify the user accounts:.
c.
(Optional) Deny login to expired accounts based on RFC 2307 account expiration LDAP attributes.
d.
Provide a query to retrieve group information for users.
If a user belongs to multiple LDAP groups with different user roles, AsyncOS grants the user the
permissions for the most restrictive role.
permissions for the most restrictive role.
Attribute that Contains
the Group Name
the Group Name
When the group membership attribute is a DN, this specifies the attribute that
can be used as group name in policy group configurations.
can be used as group name in policy group configurations.
Choose one of the following values:
•
cn. A unique identifier in the LDAP directory that specifies the name of
a group.
a group.
•
custom. A custom identifier such as
FinanceGroup
.
Query String to
Determine if Object
is a Group
Determine if Object
is a Group
Choose an LDAP search filter that determines if an LDAP object represents a
user group.
user group.
Choose one of the following values:
•
objectclass=groupofnames
•
objectclass=groupofuniquenames
•
objectclass=group
•
custom. A custom filter such as
objectclass=person
.
Note: The query defines the set of authentication groups which can be used
in Web Security Manager policies.
in Web Security Manager policies.
User Object Setting
Description
Base DN
The Base DN to navigate to the correct location in the LDAP
directory tree to begin a search.
directory tree to begin a search.
Query String
The query to return the set of authentication groups, for example:
(&(objectClass=posixAccount)(uid={u}))
or
(&(objectClass=user)(sAMAccountName={u}))
Attribute containing the user’s full
name
name
The LDAP attribute, for example,
displayName
or
gecos
.
Base DN
The Base DN to navigate to the correct location in the LDAP
directory tree to begin a search.
directory tree to begin a search.
Query String
(&(objectClass=posixAccount)(uid={u}))
Attribute containing the user’s
full name
full name
gecos