Cisco Systems 5.2.x Understand LDAP Attributes, Guidelines for LDAP Filters

6-15

UserGuide for Cisco Dig ital Media Manager 5.2.x

OL-15762-03

Chapter6 Authentication and Federated Identity

Concepts

Understand LDAP Attributes

Ordinarily, DMS-Admin will not import any user account from your ActiveDirectory server when the

value in it is blank for any of these attributes:

• Login User Name—This requi red value always must be unique.

•First Name— This required value might be identical for multiple users.

•Last Name— This required value might also be identical for multiple users.

However, you can import and synchronize all of the Active Directory user accounts that match your

filters. You can do this even when some of the user accounts are incomplete because one or more of their

attributes have blank values.

To prevent these undefined attributes from blocking the import of the user accounts they are meant to

describe, you can enter generic values for most attributes in the Values to Use by Default column.

DMS-Admin takes the generic values that you enter, and then inserts them automatically where they

are needed.

Tip Nonetheless, you cannot enter a default value for the Login User Name attribute. Usernames are unique.

Guidelines for LDAP Filters

•Use “OU” values to impose rough limits on a filter, page6-15

•Use “memberOf” values to pinpoint a filter more precisely, page6-16

•Use “objectClass” values to match all user records, page 6-16

Use “OU” values to impose rough limits on a filter

•Never use a filter that defines the user base at the domain level. For example, this filter is

not acceptable.

DC=example,DC=com

•Instead, use filters that define the user base at a lower level, as this one does.

OU=SanJose,DC=example,DC=com

•LDAP returns matched records from all levels within the user base that your filter defines.

Would a filter for “OU=SanJose,DC=example,DC=com” ever include any users from...?

OU=RTP,DC=example,DC=com No1

OU=Milpitas,OU=SanJose,DC=example,DC=com Yes2

OU=Sunnyvale,OU=SanJose,DC=example,DC=com Yes2

1. Research Triangle Park, NC, does not have any physical connection to San José, CA.

2. Milpitas, CA and Sunnyvale, CA, are suburbs of San José, CA, which affects them directly and in multiple ways.