13-41
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Generic LDAP
–
UserObjectType—The name of the attribute in the user record that
contains the username. You can obtain this attribute name from your
Directory Server. For more information, refer to your LDAP database
documentation. Cisco Secure ACS provides default values that reflect the
default configuration of a Netscape Directory Server. Confirm all values
for these fields with your LDAP server configuration and documentation.
–
UserObjectClass—The value of the LDAP “objectType” attribute that
identifies the record as a user. Often, user records have several values for
the objectType attribute, some of which are unique to the user, some of
which are shared with other object types. This box should contain a value
that is not shared.
–
GroupObjectType—The name of the attribute in the group record that
contains the group name.
–
GroupObjectClass—A value of the LDAP “objectType” attribute in the
group record that identifies the record as a group.
–
Group Attribute Name—The name of the attribute of the group record
that contains the list of user records that are a member of that group.
–
Server Timeout—The number of seconds Cisco Secure ACS waits for a
response from an LDAP server before determining that the connection
with that server has failed.
–
On Timeout Use Secondary—Whether Cisco Secure ACS performs
failover of LDAP authentication attempts. For more information about
the LDAP failover feature, see LDAP Failover, page 13-36.
–
Failback Retry Delay—The number of minutes after the primary LDAP
server fails to authenticate a user that Cisco Secure ACS resumes sending
authentication requests to the primary LDAP server first. A value of 0
(zero) causes Cisco Secure ACS to always use the primary LDAP server
first.
•Primary and Secondary LDAP Servers—The Primary LDAP Server table
and the Secondary LDAP Server table enable you to identify the LDAP
servers and make settings that are unique to each. The Secondary LDAP
Server table does not need to be completed if you do not intend to use LDAP
failover. These tables contain the following options:
–
Hostname—The name or IP address of the server that is running the
LDAP software. If you are using DNS on your network, you can type the
hostname instead of the IP address.