Cisco Cisco Email Security Appliance C170 Guia Do Utilizador

In addition to using an LDAP directory to authenticate users, you can assign LDAP groups to Cisco 
IronPort user roles. For example, you can assign users in the IT group to the Administrator user role, and 
you can assign users in the Support group to the Help Desk User role. If a user belongs to multiple LDAP 
groups with different user roles, AsyncOS grants the user the permissions for the most restrictive role. 
For example, if a user belongs to a group with Operator permissions and a group with Help Desk User 
permissions, AsyncOS grants the user the permissions for the Help Desk User role.

If an external user changes the user role for their LDAP group, the user should log out of the appliance 
and then log back in. The user will have the permissions of their new role.

Before enabling external authentication using LDAP, define an LDAP server profile and an external 
authentication query for the LDAP server. For more information, see the “LDAP Queries” chapter in the 
Cisco IronPort AsyncOS for Email Advanced Configuration Guide.

To enable external authentication using LDAP:

On the System Administration > Users page, click Enable. The Edit External Authentication page is 
displayed.

Select the Enable External Authentication check box.

Select LDAP for the authentication type.

Enter the amount of time to store external authentication credentials in the web user interface.

Select the LDAP external authentication query that authenticates users.

Enter the number of seconds that the appliance waits for a response from the server before timing out.

Enter the name of a group from the LDAP directory that you want the appliance to authenticate, and 
select the role for the users in the group.

Optionally, click Add Row to add another directory group. Repeat steps 

 and 

 for each directory group 

that the appliance authenticates.

Submit and commit your changes.