Руководство Пользователя для Cisco Cisco Content Security Management Appliance M160
Chapter 9 LDAP Queries
9-22
Cisco IronPort AsyncOS 7.2.0 for Security Management User Guide
OL-21768-01
Group Membership Queries
AsyncOS also uses a query to determine if a user is a member of a directory group
and a separate query to find all members of a group. Membership in a directory
group membership determines the user’s permissions within the system. When
you enable external authentication on the Management Appliance > System
Administration > Users page in the GUI (or
and a separate query to find all members of a group. Membership in a directory
group membership determines the user’s permissions within the system. When
you enable external authentication on the Management Appliance > System
Administration > Users page in the GUI (or
userconfig
in the CLI), you assign
user roles to the groups in your LDAP directory. User roles determine the
permissions that users have in the system, and for externally authenticated users,
the roles are assigned to directory groups instead of individual users. For example,
you can assign users in the IT directory group the Administrator role and users in
the Support directory group to the Help Desk User role.
permissions that users have in the system, and for externally authenticated users,
the roles are assigned to directory groups instead of individual users. For example,
you can assign users in the IT directory group the Administrator role and users in
the Support directory group to the Help Desk User role.
If a user belongs to multiple LDAP groups with different user roles, AsyncOS
grants the user the permissions for the most restrictive role. For example, if a user
belongs to a group with Operator permissions and a group with Help Desk User
permissions, AsyncOS grants the user the permissions for the Help Desk User
role.
grants the user the permissions for the most restrictive role. For example, if a user
belongs to a group with Operator permissions and a group with Help Desk User
permissions, AsyncOS grants the user the permissions for the Help Desk User
role.
When you configure the LDAP profile to query for group membership, enter the
base DN for the directory level where group records can be found, the attribute
that holds the group member’s username, and the attribute that contains the group
name. Based on the server type that you select for your LDAP server profile,
AsyncOS enters default values for the username and group name attributes, as
well default query strings.
base DN for the directory level where group records can be found, the attribute
that holds the group member’s username, and the attribute that contains the group
name. Based on the server type that you select for your LDAP server profile,
AsyncOS enters default values for the username and group name attributes, as
well default query strings.
Note
For Active Directory servers, the default query string to determine if a user is a
member of a group is (&(objectClass=group)(member={u})). However, if your
LDAP schema uses distinguished names in the “memberof” list instead of
usernames, you can use {dn} instead of {u}.
member of a group is (&(objectClass=group)(member={u})). However, if your
LDAP schema uses distinguished names in the “memberof” list instead of
usernames, you can use {dn} instead of {u}.
shows the default query strings and attributes that AsyncOS uses when
it searches for group membership information on an Active Directory server.
Query String
(&(objectClass=posixAccount)(u
id={u}))
Attribute containing the user’s full name
gecos