Cisco Cisco Email Security Appliance C170 ユーザーガイド
26-42
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 26 LDAP Queries
Configuring External LDAP Authentication for Users
shows the default query string and full username attribute that AsyncOS uses when it
searches for a user account on an Active Directory server.
shows the default query string and full username attribute that AsyncOS uses when it
searches for a user account on an OpenLDAP server.
Group Membership Queries
AsyncOS also uses a query to determine if a user is a member of a directory group. Membership in a
directory group membership determines the user’s permissions within the system. When you enable
external authentication on the System Administration > Users page in the GUI (or
directory group membership determines the user’s permissions within the system. When you enable
external authentication on the System Administration > Users page in the GUI (or
userconfig
in the
CLI), you assign user roles to the groups in your LDAP directory. User roles determine the permissions
that users have in the system, and for externally authenticated users, the roles are assigned to directory
groups instead of individual users. For example, you can assign users in the IT directory group the
Administrator role and users in the Support directory group to the Help Desk User role.
that users have in the system, and for externally authenticated users, the roles are assigned to directory
groups instead of individual users. For example, you can assign users in the IT directory group the
Administrator role and users in the Support directory group to the Help Desk User role.
If a user belongs to multiple LDAP groups with different user roles, AsyncOS grants the user the
permissions for the most restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the user the permissions for
the Help Desk User role.
permissions for the most restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the user the permissions for
the Help Desk User role.
When you configure the LDAP profile to query for group membership, enter the base DN for the
directory level where group records can be found, the attribute that holds the group member’s username,
and the attribute that contains the group name. Based on the server type that you select for your LDAP
server profile, AysncOS enters default values for the username and group name attributes, as well default
query strings.
directory level where group records can be found, the attribute that holds the group member’s username,
and the attribute that contains the group name. Based on the server type that you select for your LDAP
server profile, AysncOS enters default values for the username and group name attributes, as well default
query strings.
Note
For Active Directory servers, the default query string to determine if a user is a member of a group is
(&(objectClass=group)(member={u}))
. However, if your LDAP schema uses distinguished names in
the “memberof” list instead of usernames, you can use
{dn}
instead of
{u}
.
Table 26-7
Default User Account Query String and Attribute: Active Directory
Server Type
Active Directory
Base DN
[blank] (You need to use a specific base DN to find the user
records.)
records.)
Query String
(&(objectClass=user)(sAMAccountName={u}))
Attribute containing the user’s full
name
name
displayName
Table 26-8
Default User Account Query String and Attribute: OpenLDAP
Server Type
OpenLDAP
Base DN
[blank] (You need to use a specific base DN to find the user
records.)
records.)
Query String
(&(objectClass=posixAccount)(uid={u}))
Attribute containing the user’s full
name
name
gecos