Cisco Systems 3.3 Manual De Usuario
13-33
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Generic LDAP
•
•
•
Cisco Secure ACS Authentication Process with a Generic LDAP
User Database
User Database
Cisco Secure ACS forwards the username and password to an LDAP database
using a TCP connection on a port that you specify. The LDAP database either
passes or fails the authentication request from Cisco Secure ACS. Upon receiving
the response from the LDAP database, Cisco Secure ACS instructs the requesting
AAA client to grant or deny the user access, depending upon the response from
the LDAP server.
using a TCP connection on a port that you specify. The LDAP database either
passes or fails the authentication request from Cisco Secure ACS. Upon receiving
the response from the LDAP database, Cisco Secure ACS instructs the requesting
AAA client to grant or deny the user access, depending upon the response from
the LDAP server.
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the LDAP server, it is Cisco Secure ACS that
grants authorization privileges.
which the user is assigned. While the group to which a user is assigned can be
determined by information from the LDAP server, it is Cisco Secure ACS that
grants authorization privileges.
Multiple LDAP Instances
You can create more than one LDAP configuration in Cisco Secure ACS. By
creating more than one LDAP configuration with different IP address or port
settings, you can configure Cisco Secure ACS to authenticate using different
LDAP servers or using different databases on the same LDAP server. Each
primary server IP address and port configuration, along with the secondary server
IP address and port configuration, forms an LDAP instance that corresponds to
one Cisco Secure ACS LDAP configuration instance.
creating more than one LDAP configuration with different IP address or port
settings, you can configure Cisco Secure ACS to authenticate using different
LDAP servers or using different databases on the same LDAP server. Each
primary server IP address and port configuration, along with the secondary server
IP address and port configuration, forms an LDAP instance that corresponds to
one Cisco Secure ACS LDAP configuration instance.
Cisco Secure ACS does not require that each LDAP instance corresponds to a
unique LDAP database. You can have more than one LDAP configuration set to
access the same database. This is useful when your LDAP database contains more
than one subtree for users or groups. Because each LDAP configuration supports
only one subtree directory for users and one subtree directory for groups, you
must configure separate LDAP instances for each user directory subtree and group
directory subtree combination for which Cisco Secure ACS should submit
authentication requests.
unique LDAP database. You can have more than one LDAP configuration set to
access the same database. This is useful when your LDAP database contains more
than one subtree for users or groups. Because each LDAP configuration supports
only one subtree directory for users and one subtree directory for groups, you
must configure separate LDAP instances for each user directory subtree and group
directory subtree combination for which Cisco Secure ACS should submit
authentication requests.