E-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Appendix E Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Figure E-1 A Multi-Level LDAP Hierarchy
Searching the Hierarchy
The security appliance lets you tailor the search within the LDAP hierarchy. You configure the following
three fields on the security appliance to define where in the LDAP hierarchy your search begins, its
extent, and the type of information it is looking for. Together these fields allow you to limit the search
of the hierarchy to just the part of the tree that contains the user permissions.
• LDAP Base DN defines where in the LDAP hierarchy the server should begin searching for user
information when it receives an authorization request from the security appliance.
• Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many
levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the
level immediately below, or it can search the entire subtree. A single level search is quicker, but a
subtree search is more extensive.
• Naming Attribute(s) defines the Relative Distinguished Name (RDN) that uniquely identifies an
entry in the LDAP server. Common naming attributes are: cn (Common Name) and ui (user
identification).
Figure E-1 shows a possible LDAP hierarchy for Example Corporation. Given this hierarchy, you could
define your search in different ways. Table E-1 shows two possible search configurations.
In the first example configuration, when Terry establishes his or her IPSec tunnel with LDAP
authorization required, the security appliance sends a search request to the LDAP server indicating it
should search for Terry in the Engineering group. This search is quick.
In the second example configuration, the security appliance sends a search request indicating the server
should search for Terry within Example Corporation. This search takes longer.
148997
Example.com.com Enterprise LDAP Hierarchy
dc=ExampleCorp, dc=com
Root/Top
People
Equipment
OU=Organization Units
Engineering
Marketing
HR
Groups/Departments
cn=t
erry
cn=
bobbie
cn=
lynn
Users
cn=
robin
Table E-1 Example Search Configurations
# LDAP Base DN
Search
Scope
Naming
Attribute Result
1 group= Engineering,ou=People,dc=ExampleCorporation,
dc=com
One Level cn=Terry Quicker search
2 dc=ExampleCorporation,dc=com Subtree cn=Terry Longer search
To Next Page
Loading...
Need help?
General