Cisco Cisco Firepower Management Center 4000
48-23
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
Note that a home directory for each shell user is created on login, and when an LDAP shell access user
account is disabled (by disabling the LDAP connection), the directory remains, but the user shell is set
to
account is disabled (by disabling the LDAP connection), the directory remains, but the user shell is set
to
/bin/false
in
/etc/password
to disable the shell. If the user then is re-enabled, the shell is reset,
using the same home directory.
The
Same as Base Filter
check box allows you to search more efficiently if all users qualified in the base
DN are also qualified for shell access privileges. Normally, the LDAP query to retrieve users combines
the base filter with the shell access filter. If the shell access filter was the same as the base filter, the same
query runs twice, which is unnecessarily time-consuming. You can use the
the base filter with the shell access filter. If the shell access filter was the same as the base filter, the same
query runs twice, which is unnecessarily time-consuming. You can use the
Same as Base Filter
option to
run the query only once for both purposes.
Shell users can log in using user names with lowercase, uppercase, or mixed case letters. Login
authentication for the shell is case sensitive.
authentication for the shell is case sensitive.
Caution
On Series 3 Defense Centers, all shell users have
sudoers
privileges. Make sure that you restrict the list
of users with shell access appropriately. On Series 3 and virtual devices, shell access granted to
externally authenticated users defaults to the
externally authenticated users defaults to the
Configuration
level of command line access, which also
grants
sudoers
privileges.
To configure shell account authentication:
Access:
Admin
Step 1
Optionally, on the Create Authentication Object page, set a shell access account filter. You have multiple
options:
options:
•
To retrieve administrative user entries based on attribute value, type the attribute name, a
comparison operator, and the attribute value you want to use as a filter, enclosed in parentheses, in
the
comparison operator, and the attribute value you want to use as a filter, enclosed in parentheses, in
the
Shell Access Filter
field.
•
To use the same filter you specified when configuring authentication settings, select
Same as Base
Filter
.
•
To prevent LDAP authentication of shell access, leave the field blank. If you choose not to specify
a shell access filter, a warning displays when you save the authentication object to confirm that you
meant to leave the filter blank.
a shell access filter, a warning displays when you save the authentication object to confirm that you
meant to leave the filter blank.
For example, if all network administrators have a
manager
attribute which has an attribute value of
shell
,
you can set a base filter of
(manager=shell)
.
Step 2
Continue with
Testing User Authentication
License:
Any
After you configure LDAP server and authentication settings, you can specify user credentials for a user
who should be able to authenticate to test those settings.
who should be able to authenticate to test those settings.
For the user name, you can enter the value for the
uid
attribute for the user you want to test with. If you
are connecting to a Microsoft Active Directory Server and supplied a shell access attribute in place of
uid
, use the value for that attribute as the user name. You can also specify a fully qualified distinguished
name for the user.