AudioCodes Mediant 800B MSBR User Manual page 218

Notes:
•
The Management LDAP Groups table is applicable only to LDAP-based login
authentication and authorization queries.
•
If the LDAP response received by the device includes multiple groups of which the
user is a member and you have configured different access levels for some of
these groups, the device assigns the user the highest access level. For example, if
the user is a member of two groups where one has access level "Monitor" and the
other "Administrator", the device assigns the user the "Administrator" access level.
•
When the access level is unknown, the device assigns the default access level to
the user, configured by the 'Default Access Level' parameter in the Authentication
Settings page (Configuration tab > System menu > Management >
Authentication Settings). This can occur in the following scenarios:
√
The user is not a member of any group.
√
The group of which the user is a member is not configured on the device (as
described in this section).
√
The device is not configured to query the LDAP server for a management
attribute (see ''Configuring LDAP Servers'' on page 212).
Group objects represent groups in the LDAP server of which the user is a member. The
access level represents the user account's permissions and rights in the device's
management interface (e.g., Web and CLI). The access level can either be Monitor,
Administrator, or Security Administrator. For an explanation on the privileges of each level,
see ''Configuring Web User Accounts'' on page 64.
When the username-password authentication with the LDAP server succeeds, the device
searches the LDAP server for all groups of which the user is a member. The LDAP query is
based on the following LDAP data structure:

Search base object (distinguished name or DN, e.g.,
"ou=ABC,dc=corp,dc=abc,dc=com"), which defines the location in the directory from
which the LDAP search begins. This is configured in ''Configuring LDAP DNs (Base
Paths) per LDAP Server'' on page 216.

Filter (e.g., "(&(objectClass=person)(sAMAccountName=johnd))"), which filters the
search in the subtree to include only the login username (and excludes others). This is
configured by the 'LDAP Authentication Filter' parameter.

Attribute (e.g., "memberOf") to return from objects that match the filter criteria. This
attribute is configured by the 'Management Attribute' parameter in the LDAP
Configuration table.
The LDAP response includes all the groups of which the specific user is a member, for
example:
CN=\# Support Dept,OU=R&D
Groups,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC=com
CN=\#AllCellular,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,D
C=com
The device searches this LDAP response for the group names that you configured in the
Management LDAP Groups table in order to determine the user's access level. If the
device finds a group name, the user is assigned the corresponding access level and login
is permitted; otherwise, login is denied. Once the LDAP response has been received
(success or failure), the LDAP session terminates.
The following procedure describes how to configure an access level per management
groups in the Web interface. You can also configure this using the table ini file parameter,
MgmntLDAPGroups or CLI command, configure voip > ldap > mgmt-ldap-groups.
User's Manual 218
Mediant 800B MSBR
Document #: LTRT-12813