1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Software
  5. 4700M
  6. Configuration manual

Defining Private Attributes For Virtualization Support In An Ldap Server - Cisco 4700M Configuration Manual

Application control engine appliance security
Hide thumbs Also See for 4700M:
Table of Contents

Advertisement

Chapter 2
Configuring Authentication and Accounting Services
Configuring the AAA Server

Defining Private Attributes for Virtualization Support in an LDAP Server

The LDAP client on the ACE does not assume any specifics about the database
structure maintained by the LDAP server. Instead, it assumes that the {userid,
contextid} pair uniquely identifies an entry in the database and that this entry
contains the user profile attribute. The LDAP client performs a search based on
these two attributes using the search filter configured on the ACE. The LDAP
server locates the correct user entry and the user profile attribute, which is part of
that entry, and returns this information in the search response.
The LDAP client can operate in applications where virtualization is not a
requirement. In this case, the username alone uniquely identifies the user entry.
You configure the search filter to include only the $userid variable (no
$contextid). You define these two private attributes from the ACE CLI by entering
the attribute user-profile command (see the
"Configuring the User Profile
Attribute Type for an LDAP Server Group"
section).
You define the user profile attribute value in the following format:
shell:<contextname>=<role> <domain1> <domain2>...<domainN>
The user profile attribute serves an important configuration function for an LDAP
Note
server group. If the user profile attribute is not obtained from the server during
authentication, or if the profile is obtained from the server but the context name(s)
in the profile do not match the context in which the user is trying to log in, a
default role (Network-Monitor) and a default domain (default-domain) are
assigned to the user if the authentication is successful.
When virtualization is a requirement, the LDAP server must have the contextid
attributes defined in the schema. The user-profile attribute (the role-domain
information) is required if you need to assign different roles and domains to
different users. See the LDAP client documentation for information about how to
extend the attributetype directive used by the slapd LDAP directory server.
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
2-20
OL-16202-01

Advertisement

Table of Contents
loading

Related Manuals for Cisco 4700M

Related Content for Cisco 4700M

This manual is also suitable for:

4700 series

Table of Contents