Cisco Cisco Expressway 维护手册
Field
Description
Usage tips
Encryption
Determines whether the connection to the LDAP
server is encrypted using Transport Layer Security
(TLS).
server is encrypted using Transport Layer Security
(TLS).
TLS: uses TLS encryption for the connection to the
LDAP server.
LDAP server.
Off: no encryption is used.
The default is TLS.
When TLS is enabled, the LDAP
server’s certificate must be signed by an
authority within the Expressway’s trusted
CA certificates file.
server’s certificate must be signed by an
authority within the Expressway’s trusted
CA certificates file.
Click
Upload a CA certificate file for
TLS
(in the
Related tasks
section) to go
Certificate
revocation list
(CRL)
checking
revocation list
(CRL)
checking
Specifies whether certificate revocation lists (CRLs)
are checked when forming a TLS connection with
the LDAP server.
are checked when forming a TLS connection with
the LDAP server.
None: no CRL checking is performed.
Peer: only the CRL associated with the CA that
issued the LDAP server's certificate is checked.
issued the LDAP server's certificate is checked.
All: all CRLs in the trusted certificate chain of the CA
that issued the LDAP server's certificate are
checked.
that issued the LDAP server's certificate are
checked.
The default is None.
If you are using revocation lists, any
required CRL data must also be included
within the CA certificate file.
required CRL data must also be included
within the CA certificate file.
Authentication configuration
: this section specifies the Expressway's authentication credentials to use when
binding to the LDAP server.
Bind DN
The distinguished name (case insensitive) used by
the Expressway when binding to the LDAP server.
the Expressway when binding to the LDAP server.
It is important to specify the DN in the order cn=, then
ou=, then dc=
ou=, then dc=
Any special characters within a name
must be escaped with a backslash as
per the LDAP standard (RFC 4514). Do
not escape the separator character
between names.
must be escaped with a backslash as
per the LDAP standard (RFC 4514). Do
not escape the separator character
between names.
The bind account is usually a read-only
account with no special privileges.
account with no special privileges.
Bind
password
password
The password (case sensitive) used by the
Expressway when binding to the LDAP server.
Expressway when binding to the LDAP server.
The maximum plaintext length is 60
characters, which is then encrypted.
characters, which is then encrypted.
SASL
The SASL (Simple Authentication and Security
Layer) mechanism to use when binding to the LDAP
server.
Layer) mechanism to use when binding to the LDAP
server.
None: no mechanism is used.
DIGEST-MD5: the DIGEST-MD5 mechanism is used.
The default is DIGEST-MD5.
Enable Simple Authentication and
Security Layer if it is company policy to
do so.
Security Layer if it is company policy to
do so.
Bind
username
username
Username of the account that the Expressway will
use to log in to the LDAP server (case sensitive).
use to log in to the LDAP server (case sensitive).
Only required if SASL is enabled.
Configure this to be the
sAMAccountName; Security Access
Manager Account Name (in AD this is the
account’s user logon name).
sAMAccountName; Security Access
Manager Account Name (in AD this is the
account’s user logon name).
Directory configuration
: this section specifies the base distinguished names to use when searching for account
and group names.
Cisco Expressway Administrator Guide (X8.2)
Page 193 of 378
User accounts
Configuring remote account authentication using LDAP