Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Unsigned Integer 32

IPv4 Address

For unsigned integers and IPv4 attributes, ACS converts the strings that it has retrieved to the corresponding data types. If conversion fails or if no values are retrieved for the attributes, ACS logs a debug message, but does not fail the authentication or the lookup process.

You can optionally configure default values for the attributes that ACS can use when the conversion fails or when ACS does not retrieve any values for the attributes.

Certificate Retrieval

If you have configured certificate retrieval as part of user lookup, then ACS must retrieve the value of the certificate attribute from LDAP. To do this, you must have configured certificate attribute in the List of attributes to fetch while configuring an LDAP identity store.

Creating External LDAP Identity Stores

Note Configuring an LDAP identity store for ACS has no effect on the configuration of the LDAP database. ACS recognizes the LDAP database, enabling the database to be authenticated against. To manage your LDAP database, see your LDAP database documentation.

When you create an LDAP identity store, ACS also creates:

A new dictionary for that store with two attributes, ExternalGroups and IdentityDn.

A custom condition for group mapping from the ExternalGroup attribute; the condition name has the format LDAP:ID_store_name ExternalGroups.

You can edit the predefined condition name, and you can create a custom condition from the IdentityDn attribute in the Custom condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5.

To create, duplicate, or edit an external LDAP identity store:

Step 1 Select Users and Identity Stores > External Identity Stores > LDAP.

The LDAP Identity Stores page appears.

Step 2 Click Create. You can also:

Check the check box next to the identity store you want to duplicate, then click Duplicate.

Click the identity store name that you want to modify, or check the box next to the name and click Edit.

If you are creating an identity store, the first page of a wizard appears: General.

If you are duplicating an identity store, the External Identity Stores > Duplicate: <idstore>” page General tab appears, where idstore is the name of the external identity store that you chose.

If you are editing an identity store, the External Identity Stores > Edit: idstore” page General tab appears, where idstore is the name of the external identity store that you chose.

Step 3 Complete the Name and Description fields as required.

Step 4 Click Next.

 

User Guide for Cisco Secure Access Control System 5.3

8-26

OL-24201-01

Page 178
Image 178
Cisco Systems OL-24201-01 manual Certificate Retrieval, Creating External Ldap Identity Stores