Cisco Systems OL-24201-01 manual Group Membership Information Retrieval, Attributes Retrieval

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Possible reasons for an LDAP server to return bind (authentication) errors are:

–Filtering errors—A search using filter criteria fails.

–Parameter errors—Invalid parameters were entered.

–User account is restricted (disabled, locked out, expired, password expired, and so on).

The following errors are logged as external resource errors, indicating a possible problem with the LDAP server:

•A connection error occurred.

•The timeout expired.

•The server is down.

•The server is out of memory.

The following error is logged as an Unknown User error:

A user does not exist in the database.

The following error is logged as an Invalid Password error, where the user exists, but the password sent is invalid:

An invalid password was entered.

Group Membership Information Retrieval

For user authentication, user lookup, and MAC address lookup, ACS must retrieve the group membership information from LDAP databases. LDAP servers represent the association between a subject (a user or a host) and a group in one of the following two ways:

•Groups Refer to Subjects—The group objects contain an attribute that specifies the subject. Identifiers for subjects can be stored in the group as:

–Distinguished Names (DNs)

–Plain usernames

•Subjects Refer to Groups—The subject objects contain an attribute that specify the group they belong to.

LDAP identity stores contain the following parameters for group membership information retrieval:

•Reference Direction—Specifies the method to use when determining group membership (either Groups to Subjects or Subjects to Groups).

•Group Map Attribute—Indicates which attribute contains the group membership information.

•Group Object Class—Determines that we recognize certain objects as groups.

•Group Search Subtree—Indicates the search base for group searches.

•Member Type Option—Specifies how members are stored in the group member attribute (either as DNs or plain usernames).

Attributes Retrieval

For user authentication, user lookup, and MAC address lookup, ACS must retrieve the subject attributes from LDAP databases. For each instance of an LDAP identity store, an identity store dictionary is created. These dictionaries support attributes of the following data types:

•String