Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
3-41
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 3 LDAP Queries
Note
Use the Test Query button on the LDAP page (or the
ldaptest
command) to verify that your queries
return the expected results. For more information, see
User Accounts Query
To authenticate external users, AsyncOS uses a query to search for the user record in the LDAP directory
and the attribute that contains the user’s full name. Depending on the server type you select, AsyncOS
enters a default query and a default attribute. You can choose to have your appliance deny users with
expired accounts if you have attributes defined in RFC 2307 in your LDAP user records
(
and the attribute that contains the user’s full name. Depending on the server type you select, AsyncOS
enters a default query and a default attribute. You can choose to have your appliance deny users with
expired accounts if you have attributes defined in RFC 2307 in your LDAP user records
(
shadowLastChange
,
shadowMax
, and
shadowExpire
). The base DN is required for the domain level
where user records reside.
for a user account on an Active Directory server.
for a user account on an OpenLDAP server.
Group Membership Queries
AsyncOS also uses a query to determine if a user is a member of a directory group. Membership in a
directory group membership determines the user’s permissions within the system. When you enable
external authentication on the System Administration > Users page in the GUI (or
directory group membership determines the user’s permissions within the system. When you enable
external authentication on the System Administration > Users page in the GUI (or
userconfig
in the
CLI), you assign user roles to the groups in your LDAP directory. User roles determine the permissions
that users have in the system, and for externally authenticated users, the roles are assigned to directory
groups instead of individual users. For example, you can assign users in the IT directory group the
Administrator role and users in the Support directory group to the Help Desk User role.
that users have in the system, and for externally authenticated users, the roles are assigned to directory
groups instead of individual users. For example, you can assign users in the IT directory group the
Administrator role and users in the Support directory group to the Help Desk User role.
Table 3-7
Default User Account Query String and Attribute: Active Directory
Server Type
Active Directory
Base DN
[blank] (You need to use a specific base DN to find the user
records.)
records.)
Query String
(&(objectClass=user)(sAMAccountName={u}))
Attribute containing the user’s full
name
name
displayName
Table 3-8
Default User Account Query String and Attribute: OpenLDAP
Server Type
OpenLDAP
Base DN
[blank] (You need to use a specific base DN to find the user
records.)
records.)
Query String
(&(objectClass=posixAccount)(uid={u}))
Attribute containing the user’s full
name
name
gecos