IBM Remote Supervisor Adapter II manual Service Name, Root DN, Group Filter

Service Name

The DNS SRV request that is sent to the DNS server must also specify a service name. The configured value is used. If this field is left blank, the default value is ldap. The DNS SRV request must also specify a protocol name. The default is tcp and is not configurable.

vTo use a preconfigured LDAP server, select Use Pre-Configured LDAP Server.

Note: The port number for each server is optional. If the field is left blank, the default value of 389 is used for nonsecured LDAP connections. For secured connections, the default is 636. You must configure at least one LDAP server.

You can configure the following parameters:

Root DN

This is the distinguished name (DN) for the root entry of the directory tree on the LDAP server (for example, dn=mycompany,dc=com). This DN is used as the base object for all searches.

Group Filter

This field is used for group authentication. Group authentication is attempted after the user’s credentials are successfully verified. If group authentication fails, the user’s attempt to log on is denied. When the group filter is configured, it is used to specify to which groups this Service Processor belongs. This means that the user must belong to at least one of the groups that are configured for group authentication to succeed. If the Group Filter field is left blank, group authentication automatically succeeds. If the group filter is configured, an attempt is made to match at least one group in the list to a group to which the user belongs. If there is no match, the user fails authentication and is denied access. If there is at least one match, group authentication is successful. The comparisons are case sensitive.

The filter is limited to 511 characters and can consist of one or more group names. The colon (:) character must be used to delimit multiple group names. Leading and trailing spaces are ignored, but any other space is treated as part of the group name. A selection to allow or not allow the use of wildcards in the group name is provided. The filter can be a specific group name (for example, RSAWest), a wildcard (*) that matches everything, or a wildcard with a prefix (for example, RSA*). The default filter is RSA*. If security policies in your installation prohibit the use of wildcards, you can choose to not allow the use of wildcards, and the wildcard character (*) is treated as a normal character instead of the wildcard.

A group name can be specified as a full DN or using only the cn portion. For example, a group with a DN of cn=adminGroup,dc=mycompany,dc=com can be specified using the actual DN or with adminGroup.

For Active Directory environments only, nested group membership is supported. For example, if a user is a member of GroupA and GroupB, and GroupA is a member of GroupC, the user is said to be a member of GroupC also. Nested searches stop if 128 groups have been searched. Groups in one level are searched before groups in a lower level. Loops are not detected.

48 Remote Supervisor Adapter II SlimLine and Remote Supervisor Adapter II: User’s Guide