Cisco Cisco Web Security Appliance S170 Guía Del Usuario
L D A P A U T H E N T I C A T I O N S E T T I N G S
C H A P T E R 1 6 : A U T H E N T I C A T I O N
373
LDAP Group Authorization
You can use the user group membership information stored in an LDAP directory to apply a
policy group to a group of users. To do this, enable group authorization in an LDAP
authentication realm and group users by one of the following LDAP object types:
policy group to a group of users. To do this, enable group authorization in an LDAP
authentication realm and group users by one of the following LDAP object types:
• Group object. Sometimes, group membership information is stored in the group object,
which has an attribute (such as “member”) to list all users that belong to the group. Define
authorized users by group object when the group object contains all users you need to
define. For more information on how to define authorized users by group object, see
Table 16-13 on page 374.
authorized users by group object when the group object contains all users you need to
define. For more information on how to define authorized users by group object, see
Table 16-13 on page 374.
• User object. Sometimes, group membership information is stored in the user object,
which has an attribute (such as “memberOf”) that lists all groups to which a user belongs.
You might want to define authorized users by user object when the authentication server
does not store the member information in the group object or if it does not have a group
object. For more information on how to define authorized users by user object, see
Table 16-14 on page 374.
You might want to define authorized users by user object when the authentication server
does not store the member information in the group object or if it does not have a group
object. For more information on how to define authorized users by user object, see
Table 16-14 on page 374.
Note — The user object must not contain any special character.
When you configure group authorization in an LDAP authentication realm, be sure you
uniquely identify a group object in the LDAP server. If the search for a group DN returns
multiple entries, the Web Security appliance only uses the first entry returned. You uniquely
identify a group object using the following fields:
uniquely identify a group object in the LDAP server. If the search for a group DN returns
multiple entries, the Web Security appliance only uses the first entry returned. You uniquely
identify a group object using the following fields:
• Base DN
• Attribute that contains the group name
• Query string to determine if object is a group
When you create an LDAP authentication realm with user object based group authorization
against an Active Directory server, the user object does not contain the primary group that the
user is a member of, for example “Domain Users.” It only contains the other defined groups.
Therefore, policy groups might not match these users under the following conditions:
against an Active Directory server, the user object does not contain the primary group that the
user is a member of, for example “Domain Users.” It only contains the other defined groups.
Therefore, policy groups might not match these users under the following conditions:
• An Identity policy group specifies an LDAP realm with user attribute based group
authentication.
Group Authorization
Choose whether or not to enable LDAP group authorization. When
you enable LDAP group authorization, you can group users by group
object or user object.
For more information on configuring this section, see “LDAP Group
Authorization” on page 373.
you enable LDAP group authorization, you can group users by group
object or user object.
For more information on configuring this section, see “LDAP Group
Authorization” on page 373.
Table 16-12 LDAP Authentication Settings (Continued)
Setting
Description