Cisco Systems OL-12180-01 manual Configuring an Ldap Attribute Map, 12-21

Chapter 12 Configuring AAA Servers and User Accounts

Configuring an LDAP Attribute Map

Note Microsoft Internet Explorer displays up to 37 characters in an authentication prompt. Netscape Navigator displays up to 120 characters, and Telnet and FTP display up to 235 characters in an authentication prompt.

Fields

•Prompt—(Optional) Enables the display of AAA challenge text, specified in the field below the check box, for through-the-security appliance user sessions.

•Text—(Optional) Specify a string of up to 235 alphanumeric characters or 31 words, limited by whichever maximum is first reached. Do not use special characters; however, spaces and punctuation characters are permitted. Entering a question mark or pressing the Enter key ends the string. (The question mark appears in the string.)

•User accepted message—(Optional) Enables the display of text, specified in the field below the check box, confirming that the user has been authenticated.

•User rejected message—(Optional) Enables the display of text, specified in the field below the check box, indicating that authentication failed.

Note All of the fields in this pane are optional. If you do not specify an authentication prompt, FTP users see FTP authentication, HTTP users see HTTP Authentication Telnet users see no challenge text.

Modes

The following table shows the modes in which this feature is available:

Configuring an LDAP Attribute Map

The LDAP Attribute Map pane (Configuration > Remote Access VPN > AAA Setup) lets you create and name an attribute map for mapping customer (user-defined) attribute names to Cisco LDAP attribute names. If you are introducing a security appliance to an existing LDAP directory, your existing customer LDAP attribute names and values are probably different from the Cisco attribute names and values. Rather than renaming your existing attributes, you can create LDAP attribute maps that map your customer attribute names and values to Cisco attribute names and values. By using simple string substitution, the security appliance then presents you with only your own customer names and values.

You can then bind these attribute maps to LDAP servers or remove them as needed. You can also delete entire attribute maps or remove individual name and value entries.

Note To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names and values as well as the user-defined attribute names and values.