Cisco Cisco Web Security Appliance S160 Guía Del Usuario
20-29
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
LDAP Authentication
LDAP Group Authorization
You can use the user group membership information stored in an LDAP directory to apply a policy group
to a group of users. To do this, enable group authorization in an LDAP authentication realm and group
users by one of the following LDAP object types:
to a group of users. To do this, enable group authorization in an LDAP authentication realm and group
users by one of the following LDAP object types:
•
Group object. Sometimes, group membership information is stored in the group object, which has
an attribute (such as “member”) to list all users that belong to the group. Define authorized users by
group object when the group object contains all users you need to define. For more information on
how to define authorized users by group object, see
an attribute (such as “member”) to list all users that belong to the group. Define authorized users by
group object when the group object contains all users you need to define. For more information on
how to define authorized users by group object, see
•
User object. Sometimes, group membership information is stored in the user object, which has an
attribute (such as “memberOf”) that lists all groups to which a user belongs. You might want to
define authorized users by user object when the authentication server does not store the member
information in the group object or if it does not have a group object. For more information on how
to define authorized users by user object, see
attribute (such as “memberOf”) that lists all groups to which a user belongs. You might want to
define authorized users by user object when the authentication server does not store the member
information in the group object or if it does not have a group object. For more information on how
to define authorized users by user object, see
Note
The user object must not contain any special character.
When you configure group authorization in an LDAP authentication realm, be sure you uniquely identify
a group object in the LDAP server. If the search for a group DN returns multiple entries, the Web Security
appliance only uses the first entry returned. You uniquely identify a group object using the following
fields:
a group object in the LDAP server. If the search for a group DN returns multiple entries, the Web Security
appliance only uses the first entry returned. You uniquely identify a group object using the following
fields:
•
Base DN
•
Attribute that contains the group name
•
Query string to determine if object is a group
When you create an LDAP authentication realm with user object based group authorization against an
Active Directory server, the user object does not contain the primary group that the user is a member of,
for example “Domain Users.” It only contains the other defined groups. Therefore, policy groups might
not match these users under the following conditions:
Active Directory server, the user object does not contain the primary group that the user is a member of,
for example “Domain Users.” It only contains the other defined groups. Therefore, policy groups might
not match these users under the following conditions:
•
An Identity policy group specifies an LDAP realm with user attribute based group authentication.
•
A non-Identity policy group uses the Identity policy group and the primary group is configured as
an authorized group in the Active Directory server.
an authorized group in the Active Directory server.