Cisco Cisco Email Security Appliance C160 Mode D'Emploi
22-40
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 22 LDAP Queries
Configuring External LDAP Authentication for Users
User Accounts Query
To authenticate external users, AsyncOS uses a query to search for the user record in the LDAP directory
and the attribute that contains the user’s full name. Depending on the server type you select, AsyncOS
enters a default query and a default attribute. You can choose to have your appliance deny users with
expired accounts if you have attributes defined in RFC 2307 in your LDAP user records
(
and the attribute that contains the user’s full name. Depending on the server type you select, AsyncOS
enters a default query and a default attribute. You can choose to have your appliance deny users with
expired accounts if you have attributes defined in RFC 2307 in your LDAP user records
(
shadowLastChange
,
shadowMax
, and
shadowExpire
). The base DN is required for the domain level
where user records reside.
searches for a user account on an Active Directory server.
searches for a user account on an OpenLDAP server.
Group Membership Queries
AsyncOS also uses a query to determine if a user is a member of a directory group. Membership in a
directory group membership determines the user’s permissions within the system. When you enable
external authentication on the System Administration > Users page in the GUI (or
directory group membership determines the user’s permissions within the system. When you enable
external authentication on the System Administration > Users page in the GUI (or
userconfig
in the
CLI), you assign user roles to the groups in your LDAP directory. User roles determine the permissions
that users have in the system, and for externally authenticated users, the roles are assigned to directory
groups instead of individual users. For example, you can assign users in the IT directory group the
Administrator role and users in the Support directory group to the Help Desk User role.
that users have in the system, and for externally authenticated users, the roles are assigned to directory
groups instead of individual users. For example, you can assign users in the IT directory group the
Administrator role and users in the Support directory group to the Help Desk User role.
If a user belongs to multiple LDAP groups with different user roles, AsyncOS grants the user the
permissions for the most restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the user the permissions for
the Help Desk User role.
permissions for the most restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the user the permissions for
the Help Desk User role.
Table 22-7
Default User Account Query String and Attribute: Active Directory
Server Type
Active Directory
Base DN
[blank] (You need to use a specific base DN to find the user
records.)
records.)
Query String
(&(objectClass=user)(sAMAccountName={u}))
Attribute containing the user’s full
name
name
displayName
Table 22-8
Default User Account Query String and Attribute: OpenLDAP
Server Type
OpenLDAP
Base DN
[blank] (You need to use a specific base DN to find the user
records.)
records.)
Query String
(&(objectClass=posixAccount)(uid={u}))
Attribute containing the user’s full
name
name
gecos