8-23
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
Configuring LDAP Groups, page 8-33
Viewing LDAP Attributes, page 8-34

Directory Service

The directory service is a software application, or a set of applications, for storing and organizing
information about a computer network's users and network resources. You can use the directory service
to manage user access to these resources.
The LDAP directory service is based on a client-server model. A client starts an LDAP session by
connecting to an LDAP server, and sends operation requests to the server. The server then sends its
responses. One or more LDAP servers contain data from the LDAP directory tree or the LDAP backend
database.
The directory service manages the directory, which is the database that holds the information. Directory
services use a distributed model for storing information, and that information is usually replicated
between directory servers.
An LDAP directory is organized in a simple tree hierarchy and can be distributed among many servers.
Each server can have a replicated version of the total directory that is synchronized periodically.
An entry in the tree contains a set of attributes, where each attribute has a name (an attribute type or
attribute description) and one or more values. The attributes are defined in a schema.
Each entry has a unique identifier: its Distinguished Name (DN). This name contains the Relative
Distinguished Name (RDN) constructed from attributes in the entry, followed by the parent entry's DN.
You can think of the DN as a full filename, and the RDN as a relative filename in a folder.

Authentication Using LDAP

ACS 5.3 can authenticate a principal against an LDAP identity store by performing a bind operation on
the directory server to find and authenticate the principal. If authentication succeeds, ACS can retrieve
groups and attributes that belong to the principal. The attributes to retrieve can be configured in the ACS
web interface (LDAP pages). These groups and attributes can be used by ACS to authorize the principal.
To authenticate a user or query the LDAP identity store, ACS connects to the LDAP server and maintains
a connection pool. See LDAP Connection Management, page 8-24.

Multiple LDAP Instances

You can create more than one LDAP instance in ACS 5.3. By creating more than one LDAP instance
with different IP address or port settings, you can configure ACS to authenticate by using different
LDAP servers or different databases on the same LDAP server.
Each primary server IP address and port configuration, along with the secondary server IP address and
port configuration, forms an LDAP instance that corresponds to one ACS LDAP identity store instance.
ACS 5.3 does not require that each LDAP instance correspond to a unique LDAP database. You can have
more than one LDAP instance set to access the same database.
This method is useful when your LDAP database contains more than one subtree for users or groups.
Because each LDAP instance supports only one subtree directory for users and one subtree directory for
groups, you must configure separate LDAP instances for each user directory subtree and group directory
subtree combination for which ACS should submit authentication requests.