Cisco Cisco Firepower Management Center 4000
48-14
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
•
If you used server type defaults, check that you have the correct server type and click
Set Defaults
again to reset the default values.
For more information, see
.
•
If you typed in your base distinguished name, click
Fetch DNs
to retrieve all the available base
distinguished names on the server, and select the name from the list.
•
If you are using any filters, access attributes, or advanced settings, check that each is valid and typed
correctly.
correctly.
•
If you are using any filters, access attributes, or advanced settings, try removing each setting and
testing the object without it.
testing the object without it.
•
If you are using a base filter or a shell access filter, make sure that the filter is enclosed in
parentheses and that you are using a valid comparison operator. For more information, see
parentheses and that you are using a valid comparison operator. For more information, see
•
To test a more restricted base filter, try setting it to the base distinguished name for the user to
retrieve just that user.
retrieve just that user.
•
If you are using an encrypted connection:
•
Check that the name of the LDAP server in the certificate matches the host name that you use to
connect.
connect.
•
Check that you have not used an IPv6 address with an encrypted server connection.
•
If you are using a test user, make sure that the user name and password are typed correctly.
•
If you are using a test user, remove the user credentials and test the object.
•
Test the query you are using by connecting to the LDAP server via the command line on the
appliance you want to connect from using this syntax:
appliance you want to connect from using this syntax:
ldapsearch -x -b 'base_distinguished_name'
-h LDAPserver_ip_address -p port -v -D
'user_distinguished_name' -W 'base_filter'
For example, if you are trying to connect to the security domain on
myrtle.example.com
using the
domainadmin@myrtle.example.com
user and a base filter of (
cn=*
), you could test the connection
using this statement:
ldapsearch -x -b 'CN=security,DC=myrtle,DC=example,DC=com'
-h myrtle.example.com -p 389 -v -D
'domainadmin@myrtle.example.com' -W '(cn=*)'
If you can test your connection successfully but authentication does not work after you apply a system
policy, check that authentication and the object you want to use are both enabled in the system policy
that is applied to the appliance.
policy, check that authentication and the object you want to use are both enabled in the system policy
that is applied to the appliance.
If you connect successfully but want to adjust the list of users retrieved by your connection, you can add
or change a base filter or shell access filter or use a more restrictive or less restrictive base DN. For more
information, see the following topics:
or change a base filter or shell access filter or use a more restrictive or less restrictive base DN. For more
information, see the following topics:
•
•
•
Creating Advanced LDAP Authentication Objects
License:
Any
You can create LDAP authentication objects to provide user authentication services for an appliance.