Cisco Systems OL-24201-01

8-30

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Table 8-8 LDAP: Directory Organization Page

Option Description

Schema

Subject Object class Value of the LDAP objectClass attribute that identifies the subject. Often, subject records

have several values for the objectClass attribute, some of which are unique to the subject,

some of which are shared with other object types.

This box should contain a value that is not shared. Valid values are from 1 to 20 characters

and must be a valid LDAP object type. This parameter can contain any UTF-8 characters.

(Default = Person.)

Group Object class Enter the group object class that you want to use in searches that identify objects as groups.

(Default = GroupOfUniqueNames.)

Subject Name Attribute Name of the attribute in the subject record that contains the subject name. You can obtain this

attribute name from your directory server. This attribute specifies the subject name in the

LDAP schema. You use this attribute to construct queries to search for subject objects.

For more information, refer to the LDAP database documentation. Valid values are from 1 to

20 characters and must be a valid LDAP attribute. This parameter can contain any UTF-8

characters. Common values are uid and CN. (Default = uid.)

Group Map Attribute For user authentication, user lookup, and MAC address lookup, ACS must retrieve group

membership information from LDAP databases. LDAP servers represent an association

between a subject (a user or a host) and a group in one of the following two ways:

•Groups refer to subjects

•Subjects refer to groups

The Group Map Attribute contains the mapping information.

You must enter the attribute that contains the mapping information: an attribute in either the

subject or the group, depending on:

•If you select the Subject Objects Contain Reference To Groups radio button, enter a

subject attribute.

•If you select Group Objects Contain Reference To Subjects radio button, enter a group

attribute.

Certificate Attribute Enter the attribute that contains certificate definitions. These definitions can optionally be

used to validate certificates presented by clients when defined as part of a certificate

authentication profile. In such cases, a binary comparison is performed between the client

certificate and the certificate retrieved from the LDAP identity store.

Subject Objects Contain

Reference To Groups

Click if the subject objects contain a reference to groups.

Group Objects Contain

Reference To Subjects

Click if the group objects contain a reference to subjects.

Subjects In Groups Are

Stored In Member Attribute

Use the drop-down list box to indicate if the subjects in groups are stored in member attributes

as either:

•Username

•Distinguished name

Directory Structure