Cisco Cisco Web Security Appliance S670 User Guide
Chapter 20 Authentication
LDAP Authentication
20-48
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
•
Group object. Sometimes, group membership information is stored in the
group object, which has an attribute (such as “member”) to list all users that
belong to the group. Define authorized users by group object when the group
object contains all users you need to define. For more information on how to
define authorized users by group object, see
group object, which has an attribute (such as “member”) to list all users that
belong to the group. Define authorized users by group object when the group
object contains all users you need to define. For more information on how to
define authorized users by group object, see
•
User object. Sometimes, group membership information is stored in the user
object, which has an attribute (such as “memberOf”) that lists all groups to
which a user belongs. You might want to define authorized users by user
object when the authentication server does not store the member information
in the group object or if it does not have a group object. For more information
on how to define authorized users by user object, see
object, which has an attribute (such as “memberOf”) that lists all groups to
which a user belongs. You might want to define authorized users by user
object when the authentication server does not store the member information
in the group object or if it does not have a group object. For more information
on how to define authorized users by user object, see
Note
The user object must not contain any special character.
When you configure group authorization in an LDAP authentication realm, be
sure you uniquely identify a group object in the LDAP server. If the search for a
group DN returns multiple entries, the Web Security appliance only uses the first
entry returned. You uniquely identify a group object using the following fields:
sure you uniquely identify a group object in the LDAP server. If the search for a
group DN returns multiple entries, the Web Security appliance only uses the first
entry returned. You uniquely identify a group object using the following fields:
•
Base DN
•
Attribute that contains the group name
•
Query string to determine if object is a group
When you create an LDAP authentication realm with user object based group
authorization against an Active Directory server, the user object does not contain
the primary group that the user is a member of, for example “Domain Users.” It
only contains the other defined groups. Therefore, policy groups might not match
these users under the following conditions:
authorization against an Active Directory server, the user object does not contain
the primary group that the user is a member of, for example “Domain Users.” It
only contains the other defined groups. Therefore, policy groups might not match
these users under the following conditions:
•
An Identity policy group specifies an LDAP realm with user attribute based
group authentication.
group authentication.
•
A non-Identity policy group uses the Identity policy group and the primary
group is configured as an authorized group in the Active Directory server.
group is configured as an authorized group in the Active Directory server.