Dell Powerconnect W-ClearPass Hardware Appliances W-ClearPass Policy Manager 6 - Page 134

Table 61: AD/LDAP Default Filters Explained Directory Default Filters Active Directory l Authentication: This is the filter used for authentication. The query searches in objectClass of type user. This query finds both user and machine accounts in Active Directory: (&(objectClass=user)(sAMAccountName=%{Authentication:Username})) When a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine. This filter is also set up to fetch the following attributes based on this filter query: n dn (aliased to UserDN): This is an internal attribute that is populated with the user or machine record's Distinguished Name (DN) n department n title n company n memberOf: In Active Directory, this attribute is populated with the groups that the user or machine belongs to. This is a multi-valued attribute. n telephoneNumber n mail n displayName l Group: This is filter used for retrieving the name of the groups a user or machine belongs to. (distinguishedName=%{memberOf}) This query fetches all group records, where the distinguished name is the value returned by the memberOf variable. The values for the memberOf attribute are fetched by the first filter (Authentication) described above. The attribute fetched with this filter query is cn, which is the name of the group l Machine: This query fetches the machine record in Active Directory. (&(objectClass=computer)(sAMAccountName=%{Host:Name}$)) %{Host:Name} is populated by Policy Manager with name of the connecting host (if available). dNSHostName, operatingSystem and operatingSystemServicePack attributes are fetched with this filter query. l Onboard Device Owner: This is the filter for retrieving the name of the owner the onboard device belongs to. This query finds the user in the ACtive Directory. (&(sAMAccountName=%{Onboard:Owner})(objectClass=user)) %{Onboard:Owner} is populated by Policy Manager with the name of the onboarded user. l Onboard Device Owner Group: This filter is used for retrieving the name of the group the onboarded device owner belongs to. (distinguishedName=%{Onboard memberOf}) This query fetches all group records where the distinguished name is the value returned by the Onboard memberOf variable. The attribute fetched with this filter query is cn, which is the name of the Onboard group Generic LDAP Directory Authentication: This is the filter used for authentication. (&(objectClass=*)(uid=%{Authentication:Username})) When a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine. This filter is also set up to fetch the following attributes based on this filter query: n dn (aliased to UserDN): This is an internal attribute that is populated with the user record's Distinguished Name (DN) Group: This is filter used for retrieving the name of the groups a user belongs to. (&(objectClass=groupOfNames)(member=%{UserDn})) n This query fetches all group records (of objectClass groupOfNames), where member field contains the DN of the user record (UserDN, which is populated after the Authentication filter query is executed. The attribute fetched with this filter query is cn, which is the name of the group (this is aliased to a more readable name: groupName) 134 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide