Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
1
Replies

edirectory groups with S160

IT Manager
Level 1
Level 1

‎02-26-2013 07:43 PM

Hi,

I am configuring identity in the S160 WSA for Novell eDirectory.

I've created an Authentication Realm configured for eDir, added my ldap server etc - and it works.

Now I want to do some access based on eDirectory group membership.

I have read the documentation, but my mind can't string it together ! Hopefully someone hear can explain or give me some working settings....

Under Group Authorization, I can choose either Group Object or User Object. My understanding is for Edir I could use either (user object lists group membership and group object lists users in group).

Q1. Is my understanding correct - i.e. I can user either ?

Q2. If so, which is the preferred and more efficient method ?

Q3. What settings would I need for either when running against eDirectory ? 

Going back to my basic User Authentication section, the Base DN is currently root of tree, with User Name Attribute of "cn" and User Filter Query set to "none". I would like to narrow this down as a the tree has lots of non-User objects.

Q4. Can I add multiple Base DNs ?

Q5. Is the User Filter Query to set what TYPE of object to query for ? If so, any ideas for requried setting for eDirectory ?

Sorry for all the questions, but as this is heavily used production, I don't want to get there by trial and error. It could mean my trial..... :-)

Thanks in Advance,

Ian

Labels:
0 Helpful
1 Reply 1

Christian Rahl
Level 1
Level 1

‎03-13-2013 03:58 PM

Q1.  You are correct you can use either.

Q2. It depends on how your edir is configured. Some group objects will contain extraneous users.  If you do not want to check every user in a group, then do user object.  With a user object each, the users would maintain what groups they belong in and we would use that list to match.  Both have there short falls.  Basically the most efficient method is what ever list is the shortest.

Q3. This would require a TAC ticket as we would need to review your current settings and your ldap configuration.

Q4. Yes, however you would have to have multiple ldap realms.

Q5. Again would require a TAC ticket.

Most of the time the defaults in the LDAP settings will work with a basic and even an advanced configuration for edir.

Christian Rahl

Customer Support Engineer

Cisco Web Content Security Appliance

Cisco Technical Assistance Center RTP

0 Helpful
Customers Also Viewed These Support Documents