Cisco Cisco Email Security Appliance C170 Guía Del Usuario
4-241
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Chapter 4 LDAP Queries
Group Membership Queries
AsyncOS also uses a query to determine if a user is a member of a directory group.
Membership in a directory group membership determines the user’s permissions
within the system. When you enable external authentication on the System
Administration > Users page in the GUI (or
Membership in a directory group membership determines the user’s permissions
within the system. When you enable external authentication on the System
Administration > Users page in the GUI (or
userconfig
in the CLI), you assign
user roles to the groups in your LDAP directory. User roles determine the
permissions that users have in the system, and for externally authenticated users,
the roles are assigned to directory groups instead of individual users. For example,
you can assign users in the IT directory group the Administrator role and users in
the Support directory group to the Help Desk User role.
permissions that users have in the system, and for externally authenticated users,
the roles are assigned to directory groups instead of individual users. For example,
you can assign users in the IT directory group the Administrator role and users in
the Support directory group to the Help Desk User role.
If a user belongs to multiple LDAP groups with different user roles, AsyncOS
grants the user the permissions for the most restrictive role. For example, if a user
belongs to a group with Operator permissions and a group with Help Desk User
permissions, AsyncOS grants the user the permissions for the Help Desk User
role.
grants the user the permissions for the most restrictive role. For example, if a user
belongs to a group with Operator permissions and a group with Help Desk User
permissions, AsyncOS grants the user the permissions for the Help Desk User
role.
When you configure the LDAP profile to query for group membership, enter the
base DN for the directory level where group records can be found, the attribute
that holds the group member’s username, and the attribute that contains the group
name. Based on the server type that you select for your LDAP server profile,
AysncOS enters default values for the username and group name attributes, as
well default query strings.
base DN for the directory level where group records can be found, the attribute
that holds the group member’s username, and the attribute that contains the group
name. Based on the server type that you select for your LDAP server profile,
AysncOS enters default values for the username and group name attributes, as
well default query strings.
Note
For Active Directory servers, the default query string to determine if a user is a
member of a group is
member of a group is
(&(objectClass=group)(member={u}))
. However, if your
LDAP schema uses distinguished names in the “memberof” list instead of
usernames, you can use
usernames, you can use
{dn}
instead of
{u}
.
Query String
(&(objectClass=posixAccount)(uid={u}))
Attribute containing the
user’s full name
user’s full name
gecos
Table 4-8
Default User Account Query String and Attribute: OpenLDAP