Cisco Cisco Firepower Management Center 4000
35-41
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Obtaining User Data from LDAP Servers
The FireSIGHT System supports connections to LDAP servers running the following:
•
Microsoft Active Directory on Windows Server 2003 and Windows Server 2008
•
Oracle Directory Server Enterprise Edition 7.0 on Windows Server 2003 and Windows Server 2008
•
OpenLDAP on Linux
You must have TCP/IP access from the Defense Center to the LDAP servers. In addition, your LDAP
servers must use the LDAP field names shown in the following table. For example, the system maps the
givenname metadata for a particular user on an LDAP server to the first name of that user in the Defense
Center database. If you rename the field on the LDAP server, the Defense Center cannot populate its
database with the information in that field.
servers must use the LDAP field names shown in the following table. For example, the system maps the
givenname metadata for a particular user on an LDAP server to the first name of that user in the Defense
Center database. If you rename the field on the LDAP server, the Defense Center cannot populate its
database with the information in that field.
Creating an LDAP Connection for User Control
License:
FireSIGHT
You configure a connection between the Defense Center and an LDAP server by creating a user
awareness authentication object. This object contains connection settings and authentication filter
settings for the LDAP server from which you want to retrieve user information. It also specifies the users
and groups you can use in access control rules. The method you use to create a user awareness
authentication object is similar to creating an external authentication object, as described in
awareness authentication object. This object contains connection settings and authentication filter
settings for the LDAP server from which you want to retrieve user information. It also specifies the users
and groups you can use in access control rules. The method you use to create a user awareness
authentication object is similar to creating an external authentication object, as described in
.
Tip
To delete an LDAP connection, click the delete icon (
) and confirm that you want to delete it. To
modify a connection, click the edit icon (
) and see the procedure in this section for settings you can
configure. If the connection is enabled, your changes take effect when the Defense Center next queries
the LDAP server.
the LDAP server.
The following list contains the information you must provide when creating an LDAP connection. You
should work closely with your LDAP administrators to obtain the information.
should work closely with your LDAP administrators to obtain the information.
Table 35-5
Mapping LDAP Fields to Cisco Fields
Defense Center Field
Microsoft Active Directory
Oracle Directory Server
OpenLDAP
Username
samaccountname
cn
uid
cn
uid
First Name
givenname
givenname
givenname
Last Name
sn
sn
sn
Email
mail
userprincipalname (if mail has
no value)
no value)
mail
mail
Department
department
distinguishedname (if
department has no value)
department has no value)
department
ou
Phone
telephonenumber
n/a
telephonenumber