Cisco Cisco Content Security Management Appliance M1070 User Guide
11-16
AsyncOS 8.3.6 for Cisco Content Security Management User Guide
Chapter 11 Integrating with LDAP
Configuring External Authentication of Administrative Users Using LDAP
AsyncOS also uses a query to determine if a user is a member of a directory group and a separate query
to find all members of a group. Membership in a directory group membership determines the user’s
permissions within the system. When you enable external authentication on the Management
Appliance > System Administration > Users page in the GUI (or
to find all members of a group. Membership in a directory group membership determines the user’s
permissions within the system. When you enable external authentication on the Management
Appliance > System Administration > Users page in the GUI (or
userconfig
in the CLI), you assign
user roles to the groups in your LDAP directory. User roles determine the permissions that users have in
the system, and for externally authenticated users, the roles are assigned to directory groups instead of
individual users. For example, you can assign users in the IT directory group the Administrator role and
users in the Support directory group to the Help Desk User role.
the system, and for externally authenticated users, the roles are assigned to directory groups instead of
individual users. For example, you can assign users in the IT directory group the Administrator role and
users in the Support directory group to the Help Desk User role.
If a user belongs to multiple LDAP groups with different user roles, AsyncOS grants the user the
permissions for the most restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the user the permissions for
the Help Desk User role.
permissions for the most restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the user the permissions for
the Help Desk User role.
When you configure the LDAP profile to query for group membership, enter the base DN for the
directory level where group records can be found, the attribute that holds the group member’s user name,
and the attribute that contains the group name. Based on the server type that you select for your LDAP
server profile, AsyncOS enters default values for the user name and group name attributes, as well
default query strings.
directory level where group records can be found, the attribute that holds the group member’s user name,
and the attribute that contains the group name. Based on the server type that you select for your LDAP
server profile, AsyncOS enters default values for the user name and group name attributes, as well
default query strings.
Note
For Active Directory servers, the default query string to determine if a user is a member of a group is
(&(objectClass=group)(member={u})). However, if your LDAP schema uses distinguished names in the
“memberof” list instead of user names, you can use {dn} instead of {u}.
(&(objectClass=group)(member={u})). However, if your LDAP schema uses distinguished names in the
“memberof” list instead of user names, you can use {dn} instead of {u}.
membership information on an Active Directory server.
Table 11-7
Default Query String and Attributes for Active Directory Server
membership information on an OpenLDAP server.
Table 11-8
Default Query String and Attributes for Open LDAP Server
Query String
Active Directory
Base DN
[blank] (You need to use a specific base DN to find the group records.)
Query string to determine if
a user is a member of a
group
a user is a member of a
group
(&(objectClass=group)(member={u}))
Note
If your LDAP schema uses distinguished names in the member
of list instead of user names, you can replace
of list instead of user names, you can replace
{u}
with
{dn}
Query string to determine all
members of a group
members of a group
(&(objectClass=group)(cn={g}))
Attribute that holds each
member's user name (or a
DN for the user's record)
member's user name (or a
DN for the user's record)
member
Attribute that contains the
group name
group name
cn
Query String
OpenLDAP
Base DN
[blank] (You need to use a specific base DN to find the group records.)