8-26
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Managing External Identity Stores
String
Unsigned Integer 32
IP Address—This can be either an IP version 4 (IPv4) or IP version 6 (IPv6) address.
For unsigned integers and IP address attributes, ACS converts the strings that it has retrieved to the
corresponding data types. If conversion fails, or if no values are retrieved for the attributes, ACS logs a
debug message but does not fail the authentication or the lookup process.
You can optionally configure default values for the attributes that ACS can use when the conversion fails
or when ACS does not retrieve any values for the attributes.
Certificate Retrieval
If you have configured certificate retrieval as part of user lookup, then ACS must re trieve the value of
the certificate attribute from LDAP. To do this, you must have configured certificate attribute in the List
of attributes to fetch while configuring an LDAP identity store.
Creating External LDAP Identity Stores
Note Configuring an LDAP identity store for ACS has no effect on the configuration of the L DAP database.
ACS recognizes the LDAP database, enabling the database to be authenticated against. To manage your
LDAP database, see your LDAP database documentation.
When you create an LDAP identity store, ACS also creates:
A new dictionary for that store with two attributes, ExternalGroups and IdentityDn.
A custom condition for group mapping from the ExternalGroup attribute; the condition name has
the format LDAP:ID_store_name ExternalGroups.
You can edit the predefined condition name, and you can create a custom condition from the IdentityDn
attribute in the Custom condition page. See Creating, Duplicating, and Editing a Custom Session
Condition, page9-5.
To create, duplicate, or edit an external LDAP identity store:
Step1 Select Users and Identity Stores > External Identity Stores > LDAP.
The LDAP Identity Stores page appears.
Step2 Click Create. You can also:
Check the check box next to the identity store you want to duplicate, then click Duplicate.
Click the identity store name that you want to modify, or check the box next to the name and click
Edit.
If you are creating an identity store, the first page of a wizard appears: General.
If you are duplicating an identity store, the External Ide ntity Stores > Duplicate:<idstore>” page
General tab appears, where idstore is the name of the external identity store that you chose.
If you are editing an identity store, th e External Identity Stores > Edit:idstore” page General tab
appears, where idstore is the name of the external identity store that you chose.
Step3 Complete the Name and Description fields as required.