Lenovo RD220 User Guide - Page 41
sAMAccountName, Group Filter, Binding Method, Anonymously, w/ Con d Credentials
UPC - 884942047961
View all Lenovo RD220 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 41 highlights
On Active Directory servers, this attribute name is usually sAMAccountName. On Novell eDirectory and OpenLDAP servers, it is usually uid. If this field is left blank, it defaults to uid. Group Filter This field is used for group authentication. Group authentication is attempted after the user's credentials are successfully verified. If group authentication fails, the user's attempt to log on is denied. When the group filter is configured, it is used to specify to which groups the service processor belongs. This means that the user must belong to at least one of the groups that are configured for group authentication to succeed. If the Group Filter field is left blank, group authentication automatically succeeds. If the group filter is configured, an attempt is made to match at least one group in the list to a group to which the user belongs. If there is no match, the user fails authentication and is denied access. If there is at least one match, group authentication is successful. The comparisons are case sensitive. The filter is limited to 511 characters and can consist of one or more group names. The colon (:) character must be used to delimit multiple group names. Leading and trailing spaces are ignored, but any other space is treated as part of the group name. A selection to allow or not allow the use of wildcards in the group name is provided. The filter can be a specific group name (for example, IMMWest), a wildcard (*) that matches everything, or a wildcard with a prefix (for example, IMM*). The default filter is IMM*. If security policies in your installation prohibit the use of wildcards, you can choose to not allow the use of wildcards, and the wildcard character (*) is treated as a normal character instead of the wildcard. A group name can be specified as a full DN or using only the cn portion. For example, a group with a DN of cn=adminGroup,dc=mycompany,dc=com can be specified using the actual DN or with adminGroup. For Active Directory environments only, nested group membership is supported. For example, if a user is a member of GroupA and GroupB and GroupA is a member of GroupC, the user is said to be a member of GroupC also. Nested searches stop if 128 groups have been searched. Groups in one level are searched before groups in a lower level. Loops are not detected. Binding Method Before the LDAP server can be searched or queried, a bind request must be sent. This parameter controls how this initial bind to the LDAP server is performed. Choose from the following three options: - Anonymously. Bind without a DN or password. This option is strongly discouraged because most servers are configured to not allow search requests on specific user records. - w/ Configured Credentials. Bind with configured client DN and password. - w/ Login Credentials. Bind with the credentials that are supplied during the login process. The user ID can be provided through a Distinguished Name, a fully qualified domain name, or a user ID that matches the UID Search Attribute that is configured on the IMM. If the initial bind is successful, a search is performed to find an entry on the LDAP server that belongs to the user who is logging in. If necessary, Chapter 3. Configuring the IMM 35