Cisco Cisco Firepower Management Center 4000
48-17
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
Configuring LDAP-Specific Parameters
License:
Any
The settings in the LDAP-specific parameters section determine the area of the LDAP directory where
the appliance searches for user names, and control details of how the appliance connects to the LDAP
server.
the appliance searches for user names, and control details of how the appliance connects to the LDAP
server.
When configuring these settings, note that valid user names are unique, and can include underscores (_),
periods (.), and hyphens (-), but otherwise only alphanumeric characters are supported.
periods (.), and hyphens (-), but otherwise only alphanumeric characters are supported.
In addition for most LDAP-specific settings, you can use LDAP naming standards and filter and attribute
syntax. For more information, see the RFCs listed in the Lightweight Directory Access Protocol (v3):
Technical Specification, RFC 3377. Examples of syntax are provided throughout this procedure. Note
that when you set up an authentication object to connect to a Microsoft Active Directory Server, you can
use the address specification syntax documented in the Internet RFC 822 (Standard for the Format of
ARPA Internet Text Messages) specification when referencing a user name that contains a domain. For
example, to refer to a user object, you might type
syntax. For more information, see the RFCs listed in the Lightweight Directory Access Protocol (v3):
Technical Specification, RFC 3377. Examples of syntax are provided throughout this procedure. Note
that when you set up an authentication object to connect to a Microsoft Active Directory Server, you can
use the address specification syntax documented in the Internet RFC 822 (Standard for the Format of
ARPA Internet Text Messages) specification when referencing a user name that contains a domain. For
example, to refer to a user object, you might type
JoeSmith@security.example.com
rather than the
equivalent user distinguished name of
cn=JoeSmith,ou=security, dc=example,dc=com
when using
Microsoft Active Directory Server.
The following table describes each of the LDAP-specific parameters.
Table 48-2
LDAP-Specific Parameters
Setting
Description
Example
Base DN
Supplies the base distinguished name of the directory where the appliance
searches for user information on the LDAP server.
searches for user information on the LDAP server.
Typically, the base DN has a basic structure indicating the company
domain and operational unit.
domain and operational unit.
Note that after you identify a primary server, you can automatically
retrieve a list of available base DNs from the server and select the
appropriate base DN.
retrieve a list of available base DNs from the server and select the
appropriate base DN.
The Security organization of
the Example company might
have a base DN of
the Example company might
have a base DN of
ou=security,
dc=example,dc=com
Base Filter
Focuses your search by only retrieving objects in the base DN that have the
specific attribute-value pair set in the filter. Note that you must enclose the
base filter in parentheses.
specific attribute-value pair set in the filter. Note that you must enclose the
base filter in parentheses.
To test your base filter more specifically by entering a test user name and
password, see
password, see
To filter for only users with a
common name starting with F,
use the filter
common name starting with F,
use the filter
(cn=F*)
.
User Name/
Password
Password
Allow the local appliance to access the user objects. Supply user
credentials for a user with appropriate rights to the authentication objects
you want to retrieve. The distinguished name for the user you specify must
be unique to the directory information tree for the LDAP server. Note that
server user names associated with a Microsoft Active Directory Server
cannot end with the
credentials for a user with appropriate rights to the authentication objects
you want to retrieve. The distinguished name for the user you specify must
be unique to the directory information tree for the LDAP server. Note that
server user names associated with a Microsoft Active Directory Server
cannot end with the
$
character.
The user name for the
admin
user in the Security
organization of the Example
company might have a user
name of
organization of the Example
company might have a user
name of
cn=admin,
ou=security,
dc=example,dc=com