Cisco Cisco Firepower Management Center 4000
48-10
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
For the user name, you can enter the value for the
uid
attribute for the user you want to test with. If you
are connecting to a Microsoft Active Directory Server and supply a UI access attribute in place of
uid
,
use the value for that attribute as the user name.
Preparing to Create an LDAP Authentication Object
License:
Any
Before you configure a connection to your LDAP server, you should collect the information that you
need to create the LDAP authentication object. For more information on specific aspects of
configuration, see
need to create the LDAP authentication object. For more information on specific aspects of
configuration, see
.
You need the following for any authentication object:
•
the server name or IP address for the server where you plan to connect
•
the server type of the server where you plan to connect
•
the user name and password for a user account with sufficient privileges to browse the LDAP tree;
Cisco recommends that you use a domain admin user account for this purpose
Cisco recommends that you use a domain admin user account for this purpose
•
if there is a firewall between the appliance and the LDAP server, an entry in the firewall to allow
outgoing connections
outgoing connections
•
if possible, the base distinguished name for the server directory where the user names reside
Note that you can use a third-party LDAP client to browse the LDAP tree and see base DN and attribute
descriptions. You can also use that client to confirm that your selected user can browse the base DN you
select. Ask your LDAP administrator to recommend an approved LDAP client for your LDAP server.
descriptions. You can also use that client to confirm that your selected user can browse the base DN you
select. Ask your LDAP administrator to recommend an approved LDAP client for your LDAP server.
Depending on how you plan to customize your LDAP authentication object configuration, you might
also need the information in the following table.
also need the information in the following table.
Table 48-1
Additional LDAP Configuration Information
To...
You need...
connect over a port other than 389
the port number
connect via an encrypted connection
the certificate for the connection
filter the users who can access your appliance
based on an attribute value
based on an attribute value
the attribute-value pair to filter by
use an attribute as a UI access attribute rather
than checking the user distinguished name
than checking the user distinguished name
the name of the attribute
use an attribute as a shell login attribute rather
than checking the user distinguished name
than checking the user distinguished name
the name of the attribute
filter the users who can access your appliance
via the shell based on an attribute value
via the shell based on an attribute value
the attribute-value pair to filter by
associate groups with specific user roles
the distinguished name of each group, as well as the
group member attribute if the groups are static groups
or the group member URL attribute if the groups are
dynamic groups
group member attribute if the groups are static groups
or the group member URL attribute if the groups are
dynamic groups