Binding The Security Appliance To The Ldap Server; Defining The Security Appliance Ldap Schema; Cisco-Av-Pair Attribute Syntax; Example Security Appliance Authorization Schema - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Appendix E
Configuring an External Server for Authorization and Authentication
Binding the Security Appliance to the LDAP Server
Some LDAP servers (including the Microsoft Active Directory server) require the security appliance to
establish a handshake via authenticated binding before they accept requests for any other LDAP
operations. The security appliance identifies itself for authenticated binding by attaching a Login DN
field to the user authentication request. The Login DN field defines the authentication characteristics of
the security appliance; these characteristics should correspond to those of a user with administrative
privileges. An example Login DN field could be: cn=Administrator, cn=users, ou=people, dc=example,
dc=com.
Defining the Security Appliance LDAP Schema
This section describes how to define the LDAP schema and AV-pair attribute syntax. It includes the
following topics:
•
•
Once you have decided how to structure your user information in the LDAP hierarchy, define this
organization in a schema. To define the schema, begin by defining the object class name. The class name
for the security appliance directory is User-Authorization. The class has the object identifier (OID)
1.2.840.113556.1.8000.795.1.1. Every entry or user in the directory is an object of this class.
Some LDAP servers (for example, the Microsoft Active Directory LDAP server) do not allow you to
reuse the class OID once you have defined it. Use the next incremental OID. For example, if you
incorrectly defined the class name as Usr-Authorization with OID 1.2.840.113556.1.8000.795.1.1, you
can enter the correct class name User-Authorization with the next OID, for example,
1.2.840.113556.1.8000.795.1.2.
For the Microsoft Active Directory LDAP server, define the schema in text form in a file using the LDAP
Data Interchange Format (LDIF). This file has an extension of
LDAP servers use graphical user interfaces or script files to define the object class and its attributes. For
more information on LDIF, see RFC-2849.
The appliances enforce the LDAP attributes based on attribute name, not numeric ID. RADIUS
Note
attributes, on the other hand, are enforced by numeric ID, not by name.
Authorization refers to the process of enforcing permissions or attributes. An LDAP server defined as
an authentication or authorization server will enforce permissions or attributes if they are configured.
For a complete list of attributes for the PIX 500 series security appliance and the VPN 3000, see
Table
All strings are case-sensitive and you must use an attribute name as capitalized in the table even if it
conflicts with how a term is typically written.
OL-12172-03
Cisco-AV-Pair Attribute Syntax
Example Security Appliance Authorization Schema
E-2.
.ldif
Cisco Security Appliance Command Line Configuration Guide
Configuring an External LDAP Server
, for example:
schema.ldif
. Other
E-5
Advertisement
Table of Contents
Troubleshooting
