Configuring The User Profile Attribute Type For An Ldap Server Group - Cisco 4700M Configuration Manual
Application control engine appliance security
Hide thumbs
Also See for 4700M:
- Administration manual (292 pages) ,
- Upgrade manual (24 pages) ,
- Installation manual (18 pages)
Table of Contents
Advertisement
Chapter 2
Configuring Authentication and Accounting Services
Configuring the User Profile Attribute Type for an LDAP Server Group
Note
OL-16202-01
Configuring the ACE as a Client of a RADIUS, TACACS+, or LDAP Server
An LDAP server retrieves a user's profile as part of the search request. During a
search request, the LDAP client requests the user profile attribute from the LDAP
server by including this attribute type (the configured string) in the search request.
The search request must match the attribute type used by the LDAP server to
properly identify the user profile attribute, as defined in private schema on the
LDAP server. The LDAP server uses the search filter to locate the user profile
entry in its database. When the LDAP server finds the entry, it replies with a
search response in which it includes the value of the user profile attribute that was
stored in that entry. This value contains the role and domain pair of the user for
that context.
You define the user profile attribute value in the following format:
shell:<contextname>=<role> <domain1> <domain2>...<domainN>
The user profile attribute serves an important configuration function for an LDAP
server group. If the user profile attribute is not obtained from the server during
authentication, or if the profile is obtained from the server but the context name(s)
in the profile do not match the context in which the user is trying to log in, a
default role (Network-Monitor) and a default domain (default-domain) are
assigned to the user if the authentication is successful.
This attribute type is used for the user profile attribute. Since this attribute type is
private, the LDAP server database should use the same attribute type for the user
profile. The LDAP client (the ACE) sends the search request with this attribute
type as the attribute it wants to download. If the lookup was successful, the search
response contains this attribute value. The attribute value must contain a string
that represents the user role and domain pair for this particular context.
Use the attribute user-profile command to specify which user profile attribute to
use by the LDAP server.
You can configure the LDAP user profile attribute at the subconfiguration level
for the LDAP server group (created as described in the
Groups"
section).
The syntax of this command is as follows:
attribute user-profile text
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
"Configuring AAA Server
2-43
Advertisement
Table of Contents
