Cisco Cisco Email Security Appliance C170 Guia Do Utilizador

AsyncOS also uses a query to determine if a user is a member of a directory group. 
Membership in a directory group membership determines the user’s permissions 
within the system. When you enable external authentication on the System 
Administration > Users page in the GUI (or 

userconfig

 in the CLI), you assign 

user roles to the groups in your LDAP directory. User roles determine the 
permissions that users have in the system, and for externally authenticated users, 
the roles are assigned to directory groups instead of individual users. For example, 
you can assign users in the IT directory group the Administrator role and users in 
the Support directory group to the Help Desk User role.

If a user belongs to multiple LDAP groups with different user roles, AsyncOS 
grants the user the permissions for the most restrictive role. For example, if a user 
belongs to a group with Operator permissions and a group with Help Desk User 
permissions, AsyncOS grants the user the permissions for the Help Desk User 
role.

When you configure the LDAP profile to query for group membership, enter the 
base DN for the directory level where group records can be found, the attribute 
that holds the group member’s username, and the attribute that contains the group 
name. Based on the server type that you select for your LDAP server profile, 
AysncOS enters default values for the username and group name attributes, as 
well default query strings.

For Active Directory servers, the default query string to determine if a user is a 
member of a group is 

(&(objectClass=group)(member={u}))

. However, if your 

LDAP schema uses distinguished names in the “memberof” list instead of 
usernames, you can use 

{dn}

 instead of 

{u}

.

(&(objectClass=posixAccount)(uid={u}))

gecos