Cisco Systems 5.2.x manual Understand Ldap Attributes, Guidelines for Ldap Filters, Yes

Chapter 6 Authentication and Federated Identity

Concepts

Understand LDAP Attributes

Ordinarily, DMS-Admin will not import any user account from your Active Directory server when the value in it is blank for any of these attributes:

•Login User Name — This required value always must be unique.

•First Name — This required value might be identical for multiple users.

•Last Name — This required value might also be identical for multiple users.

However, you can import and synchronize all of the Active Directory user accounts that match your filters. You can do this even when some of the user accounts are incomplete because one or more of their attributes have blank values.

To prevent these undefined attributes from blocking the import of the user accounts they are meant to describe, you can enter generic values for most attributes in the Values to Use by Default column. DMS-Admin takes the generic values that you enter, and then inserts them automatically where they are needed.

Guidelines for LDAP Filters

•Use “OU” values to impose rough limits on a filter, page 6-15

•Use “memberOf” values to pinpoint a filter more precisely, page 6-16

•Use “objectClass” values to match all user records, page 6-16

Use “OU” values to impose rough limits on a filter

•Never use a filter that defines the user base at the domain level. For example, this filter is not acceptable.

DC=example,DC=com

•Instead, use filters that define the user base at a lower level, as this one does.

OU=SanJose,DC=example,DC=com

•LDAP returns matched records from all levels within the user base that your filter defines.

1.Research Triangle Park, NC, does not have any physical connection to San José, CA.

2.Milpitas, CA and Sunnyvale, CA, are suburbs of San José, CA, which affects them directly and in multiple ways.