Cisco Cisco Web Security Appliance S690 Guía Del Usuario

(Optional) Configure external LDAP authentication for users

Select External Authentication Queries.

Identify the user accounts:.

(Optional) Deny login to expired accounts based on RFC 2307 account expiration LDAP attributes. 

Provide a query to retrieve group information for users. 

If a user belongs to multiple LDAP groups with different user roles, AsyncOS grants the user the 
permissions for the most restrictive role.

Attribute that Contains 
the Group Name

When the group membership attribute is a DN, this specifies the attribute that 
can be used as group name in policy group configurations.

Choose one of the following values:

cn. A unique identifier in the LDAP directory that specifies the name of 
a group.

custom. A custom identifier such as 

FinanceGroup

.

Query String to 
Determine if Object 
is a Group

Choose an LDAP search filter that determines if an LDAP object represents a 
user group.

Choose one of the following values:

objectclass=groupofnames 

objectclass=groupofuniquenames 

objectclass=group 

custom. A custom filter such as 

objectclass=person

.

Note: The query defines the set of authentication groups which can be used 
in Web Security Manager policies.

The Base DN to navigate to the correct location in the LDAP 
directory tree to begin a search.

The query to return the set of authentication groups, for example:

(&(objectClass=posixAccount)(uid={u}))

or

(&(objectClass=user)(sAMAccountName={u}))

The LDAP attribute, for example, 

displayName

 or 

gecos

.

The Base DN to navigate to the correct location in the LDAP 
directory tree to begin a search.

(&(objectClass=posixAccount)(uid={u}))

gecos