Cisco Cisco Firepower Management Center 4000
48-19
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
To configure the LDAP-specific parameters for a server:
Access:
Admin
Step 1
In the LDAP-Specific Parameters section of the Create Authentication Object page, you have two
options for setting the base DN:
options for setting the base DN:
•
To fetch a list of all available domains, click
Fetch DNs
and select the appropriate base domain name
from the drop-down list.
•
Type the base distinguished name for the LDAP directory you want to access in the
Base DN
field.
For example, to authenticate names in the Security organization at the Example company, type or select
ou=security,dc=example,dc=com
.
Step 2
Optionally, to set a filter that retrieves only specific objects within the directory you specified as the Base
DN, type the attribute type, a comparison operator, and the attribute value you want to use as a filter,
enclosed in parentheses, in the
DN, type the attribute type, a comparison operator, and the attribute value you want to use as a filter,
enclosed in parentheses, in the
Base Filter
field.
For example, if the user objects in a directory tree have a physicalDeliveryOfficeName attribute and
users in the New York office have an attribute value of
users in the New York office have an attribute value of
NewYork
for that attribute, to retrieve only users
in the New York office, type
(physicalDeliveryOfficeName=NewYork)
.
Step 3
Type the distinguished name and password for the user whose credentials should be used to validate
access to the LDAP directory in the
access to the LDAP directory in the
User Name
and
Password
fields.
For example, if you are connecting to an OpenLDAP server where user objects have a
uid
attribute and
the object for the administrator in the Security division at our example company has a
uid
value of
NetworkAdmin
, you might type
uid=NetworkAdmin,ou=security,dc=example,dc=com.
Caution
If you are connecting to a Microsoft Active Directory Server, you cannot provide a server user name that
ends with the
ends with the
$
character.
UI Access
Attribute
Attribute
Tells the local appliance to match the value of a specific attribute rather
than the value of the user distinguished name. You can use any attribute, if
the value of the attribute is a valid user name for the FireSIGHT System
web interface. If one of the objects has a matching user name and
password, the user login request is authenticated.
than the value of the user distinguished name. You can use any attribute, if
the value of the attribute is a valid user name for the FireSIGHT System
web interface. If one of the objects has a matching user name and
password, the user login request is authenticated.
Selecting a server type and setting defaults prepopulates the
UI Access
Attribute
with a value typically appropriate for that type of server.
If you leave this field blank, the local appliance checks the user
distinguished name value for each user record on the LDAP server to see
if it matches the user name.
distinguished name value for each user record on the LDAP server to see
if it matches the user name.
sAMAccountName
Shell Access
Attribute
Attribute
If you want to check a specific attribute for shell access credentials, you
must explicitly set this field to match the attribute. You can use any
attribute if the value of the attribute is a valid user name for shell access.
must explicitly set this field to match the attribute. You can use any
attribute if the value of the attribute is a valid user name for shell access.
If you leave this field blank, the user distinguished name is used for shell
access authentication.
access authentication.
Note that selecting a server type and setting defaults prepopulates this field
with an attribute typically appropriate for that type of server.
with an attribute typically appropriate for that type of server.
sAMAccountName
Table 48-2
LDAP-Specific Parameters (continued)
Setting
Description
Example