Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Table 8-8

LDAP: Directory Organization Page

Option

Description

Schema

Subject Object class

Value of the LDAP objectClass attribute that identifies the subject. Often, subject records

 

have several values for the objectClass attribute, some of which are unique to the subject,

 

some of which are shared with other object types.

 

This box should contain a value that is not shared. Valid values are from 1 to 20 characters

 

and must be a valid LDAP object type. This parameter can contain any UTF-8 characters.

 

(Default = Person.)

 

 

Group Object class

Enter the group object class that you want to use in searches that identify objects as groups.

 

(Default = GroupOfUniqueNames.)

 

 

Subject Name Attribute

Name of the attribute in the subject record that contains the subject name. You can obtain this

 

attribute name from your directory server. This attribute specifies the subject name in the

 

LDAP schema. You use this attribute to construct queries to search for subject objects.

 

For more information, refer to the LDAP database documentation. Valid values are from 1 to

 

20 characters and must be a valid LDAP attribute. This parameter can contain any UTF-8

 

characters. Common values are uid and CN. (Default = uid.)

 

 

Group Map Attribute

For user authentication, user lookup, and MAC address lookup, ACS must retrieve group

 

membership information from LDAP databases. LDAP servers represent an association

 

between a subject (a user or a host) and a group in one of the following two ways:

 

Groups refer to subjects

 

Subjects refer to groups

 

The Group Map Attribute contains the mapping information.

 

You must enter the attribute that contains the mapping information: an attribute in either the

 

subject or the group, depending on:

 

If you select the Subject Objects Contain Reference To Groups radio button, enter a

 

 

subject attribute.

 

If you select Group Objects Contain Reference To Subjects radio button, enter a group

 

 

attribute.

 

 

Certificate Attribute

Enter the attribute that contains certificate definitions. These definitions can optionally be

 

used to validate certificates presented by clients when defined as part of a certificate

 

authentication profile. In such cases, a binary comparison is performed between the client

 

certificate and the certificate retrieved from the LDAP identity store.

 

 

Subject Objects Contain

Click if the subject objects contain a reference to groups.

Reference To Groups

 

 

 

 

Group Objects Contain

Click if the group objects contain a reference to subjects.

Reference To Subjects

 

 

 

 

Subjects In Groups Are

Use the drop-down list box to indicate if the subjects in groups are stored in member attributes

Stored In Member Attribute

as either:

As

Username

 

 

Distinguished name

 

 

 

Directory Structure

 

 

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

8-30

OL-24201-01

Page 182
Image 182
Cisco Systems OL-24201-01 manual Schema