Lenovo RD220 User Guide - Page 41

sAMAccountName, Group Filter, Binding Method, Anonymously, w/ Con d Credentials

Get Lenovo RD220 - ThinkServer - 3798 PDF manuals and user guides
UPC - 884942047961
View all Lenovo RD220 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 41 highlights

On Active Directory servers, this attribute name is usually sAMAccountName. On Novell eDirectory and OpenLDAP servers, it is usually uid. If this field is left blank, it defaults to uid. Group Filter This field is used for group authentication. Group authentication is attempted after the user's credentials are successfully verified. If group authentication fails, the user's attempt to log on is denied. When the group filter is configured, it is used to specify to which groups the service processor belongs. This means that the user must belong to at least one of the groups that are configured for group authentication to succeed. If the Group Filter field is left blank, group authentication automatically succeeds. If the group filter is configured, an attempt is made to match at least one group in the list to a group to which the user belongs. If there is no match, the user fails authentication and is denied access. If there is at least one match, group authentication is successful. The comparisons are case sensitive. The filter is limited to 511 characters and can consist of one or more group names. The colon (:) character must be used to delimit multiple group names. Leading and trailing spaces are ignored, but any other space is treated as part of the group name. A selection to allow or not allow the use of wildcards in the group name is provided. The filter can be a specific group name (for example, IMMWest), a wildcard (*) that matches everything, or a wildcard with a prefix (for example, IMM*). The default filter is IMM*. If security policies in your installation prohibit the use of wildcards, you can choose to not allow the use of wildcards, and the wildcard character (*) is treated as a normal character instead of the wildcard. A group name can be specified as a full DN or using only the cn portion. For example, a group with a DN of cn=adminGroup,dc=mycompany,dc=com can be specified using the actual DN or with adminGroup. For Active Directory environments only, nested group membership is supported. For example, if a user is a member of GroupA and GroupB and GroupA is a member of GroupC, the user is said to be a member of GroupC also. Nested searches stop if 128 groups have been searched. Groups in one level are searched before groups in a lower level. Loops are not detected. Binding Method Before the LDAP server can be searched or queried, a bind request must be sent. This parameter controls how this initial bind to the LDAP server is performed. Choose from the following three options: - Anonymously. Bind without a DN or password. This option is strongly discouraged because most servers are configured to not allow search requests on specific user records. - w/ Configured Credentials. Bind with configured client DN and password. - w/ Login Credentials. Bind with the credentials that are supplied during the login process. The user ID can be provided through a Distinguished Name, a fully qualified domain name, or a user ID that matches the UID Search Attribute that is configured on the IMM. If the initial bind is successful, a search is performed to find an entry on the LDAP server that belongs to the user who is logging in. If necessary, Chapter 3. Configuring the IMM 35

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
On Active Directory servers, this attribute name is usually
sAMAccountName
. On Novell eDirectory and OpenLDAP servers, it is
usually
uid
. If this field is left blank, it defaults to
uid
.
Group Filter
This field is used for group authentication. Group authentication is
attempted after the user’s credentials are successfully verified. If group
authentication fails, the user’s attempt to log on is denied. When the
group filter is configured, it is used to specify to which groups the service
processor belongs. This means that the user must belong to at least one of
the groups that are configured for group authentication to succeed.
If the
Group Filter
field is left blank, group authentication automatically
succeeds. If the group filter is configured, an attempt is made to match at
least one group in the list to a group to which the user belongs. If there is
no match, the user fails authentication and is denied access. If there is at
least one match, group authentication is successful. The comparisons are
case sensitive.
The filter is limited to 511 characters and can consist of one or more
group names. The colon (:) character must be used to delimit multiple
group names. Leading and trailing spaces are ignored, but any other
space is treated as part of the group name. A selection to allow or not
allow the use of wildcards in the group name is provided. The filter can
be a specific group name (for example, IMMWest), a wildcard (*) that
matches everything, or a wildcard with a prefix (for example, IMM*). The
default filter is IMM*. If security policies in your installation prohibit the
use of wildcards, you can choose to not allow the use of wildcards, and
the wildcard character (*) is treated as a normal character instead of the
wildcard.
A group name can be specified as a full DN or using only the cn portion.
For example, a group with a DN of
cn=adminGroup,dc=mycompany,dc=com can be specified using the actual
DN or with adminGroup.
For Active Directory environments only, nested group membership is
supported. For example, if a user is a member of GroupA and GroupB
and GroupA is a member of GroupC, the user is said to be a member of
GroupC also. Nested searches stop if 128 groups have been searched.
Groups in one level are searched before groups in a lower level. Loops
are not detected.
Binding Method
Before the LDAP server can be searched or queried, a bind request must
be sent. This parameter controls how this initial bind to the LDAP server
is performed. Choose from the following three options:
Anonymously
. Bind without a DN or password. This option is
strongly discouraged because most servers are configured to not allow
search requests on specific user records.
w/ Configured Credentials
. Bind with configured client DN and
password.
w/ Login Credentials
. Bind with the credentials that are supplied
during the login process. The user ID can be provided through a
Distinguished Name, a fully qualified domain name, or a user ID that
matches the UID Search Attribute that is configured on the IMM.
If the initial bind is successful, a search is performed to find an entry on
the LDAP server that belongs to the user who is logging in. If necessary,
Chapter 3. Configuring the IMM
35