Version 7.2 255 Mediant 800B Gateway & E-SBC
User's Manual 15. Services
authorization stage. To determine the access level, the device searches the LDAP
directory for groups of which the user is a member, for example:
CN=\# Support Dept,OU=R&D
Groups,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC=com
CN=\#AllCellular,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=a
bc,DC=com
The device then assigns the user the access level configured for that group (in
'Configuring Access Level per Management Groups Attributes' on page 264). The
location in the directory where you want to search for the user's member group(s) is
configured using the following:
• Search base object (distinguished name or DN, e.g.,
"ou=ABC,dc=corp,dc=abc,dc=com"), which defines the location in the directory
from where the LDAP search begins and is configured in 'Configuring LDAP DNs
(Base Paths) per LDAP Server' on page 262.
• Search filter, for example, (&(objectClass=person)(sAMAccountName=JohnD)),
which filters the search in the subtree to include only the specific username. The
search filter can be configured with the dollar ($) sign to represent the username,
for example, (sAMAccountName=$). To configure the search filter, see
'Configuring the LDAP Search Filter Attribute' on page 263.
• Management attribute (e.g., memberOf), from where objects that match the
search filter criteria are returned. This shows the user's member groups. The
attribute is configured in the LDAP Servers table (see 'Configuring LDAP Servers'
on page 258).
If the device finds a group, it assigns the user the corresponding access level and
permits login; otherwise, login is denied. Once the LDAP response has been received
(success or failure), the device ends the LDAP session.
For both of the previously discussed LDAP services, the following additional LDAP
functionality is supported:
Search method for searching DN object records between LDAP servers and within
each LDAP server (see Configuring LDAP Search Methods).
Default access level that is assigned to the user if the queried response does not
contain an access level.
Local Users table for authenticating users instead of the LDAP server (for example,
when a communication problem occurs with the server). For more information, see
'Configuring Local Database for Management User Authentication' on page
271.
15.4.1 Enabling the LDAP Service
Before you can configure LDAP support, you need to enable the LDAP service.
To enable LDAP:
1. Open the LDAP Settings page (Setup menu > IP Network tab > RADIUS & LDAP
folder > LDAP Settings).
Figure 15-19: Enabling LDAP
2. From the 'LDAP Service' drop-down list, select Enable.
3. Click Apply, and then reset the device with a save-to-flash for your settings to take
effect.
To Next Page
Loading...
Need help?
General
