Cisco Cisco Email Security Appliance C650 Guia Do Utilizador
3-42
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 3 LDAP Queries
If a user belongs to multiple LDAP groups with different user roles, AsyncOS grants the user the
permissions for the most restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the user the permissions for
the Help Desk User role.
permissions for the most restrictive role. For example, if a user belongs to a group with Operator
permissions and a group with Help Desk User permissions, AsyncOS grants the user the permissions for
the Help Desk User role.
When you configure the LDAP profile to query for group membership, enter the base DN for the
directory level where group records can be found, the attribute that holds the group member’s username,
and the attribute that contains the group name. Based on the server type that you select for your LDAP
server profile, AysncOS enters default values for the username and group name attributes, as well default
query strings.
directory level where group records can be found, the attribute that holds the group member’s username,
and the attribute that contains the group name. Based on the server type that you select for your LDAP
server profile, AysncOS enters default values for the username and group name attributes, as well default
query strings.
Note
For Active Directory servers, the default query string to determine if a user is a member of a group is
(&(objectClass=group)(member={u}))
. However, if your LDAP schema uses distinguished names in
the “memberof” list instead of usernames, you can use
{dn}
instead of
{u}
.
shows the default query strings and attributes that AsyncOS uses when it searches for group
membership information on an Active Directory server.
membership information on an OpenLDAP server.
Table 3-9
Default Group Membership Query Strings and Attribute: Active Directory
Server Type
Active Directory
Base DN
[blank] (You need to use a specific base DN to find the group
records.)
records.)
Query string to determine if a user is a
member of a group
member of a group
(&(objectClass=group)(member={u}))
Note
If your LDAP schema uses distinguished names in the
memberOf
list instead of usernames, you can replace
{u}
with
{dn}
.
Attribute that holds each member's
username (or a DN for the user's
record)
username (or a DN for the user's
record)
member
Attribute that contains the group name
cn
Table 3-10
Default Group Membership Query Strings and Attributes: OpenLDAP
Server Type
OpenLDAP
Base DN
[blank] (You need to use a specific base DN to find the group
records.)
records.)
Query string to determine if a user is a
member of a group
member of a group
(&(objectClass=posixGroup)(memberUid={u}))
Attribute that holds each member's
username (or a DN for the user's
record)
username (or a DN for the user's
record)
memberUid
Attribute that contains the group name
cn