Searching The Hierarchy - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring an External LDAP Server
Figure E-1
Engineering
cn=terry
Searching the Hierarchy
The security appliance lets you tailor the search within the LDAP hierarchy. You configure the following
three fields on the security appliance to define where in the LDAP hierarchy your search begins, its
extent, and the type of information it is looking for. Together these fields allow you to limit the search
of the hierarchy to just the part of the tree that contains the user permissions.
•
•
•
Figure E-1
define your search in different ways.
In the first example configuration, when Terry establishes his or her IPSec tunnel with LDAP
authorization required, the security appliance sends a search request to the LDAP server indicating it
should search for Terry in the Engineering group. This search is quick.
In the second example configuration, the security appliance sends a search request indicating the server
should search for Terry within Example Corporation. This search takes longer.
Table E-1
Example Search Configurations
#
LDAP Base DN
1
group= Engineering,ou=People,dc=ExampleCorporation,
dc=com
2
dc=ExampleCorporation,dc=com
Cisco Security Appliance Command Line Configuration Guide
E-4
A Multi-Level LDAP Hierarchy
Example.com.com Enterprise LDAP Hierarchy
dc=ExampleCorp, dc=com
People
Marketing
cn=robin
cn=bobbie
LDAP Base DN defines where in the LDAP hierarchy the server should begin searching for user
information when it receives an authorization request from the security appliance.
Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many
levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the
level immediately below, or it can search the entire subtree. A single level search is quicker, but a
subtree search is more extensive.
Naming Attribute(s) defines the Relative Distinguished Name (RDN) that uniquely identifies an
entry in the LDAP server. Common naming attributes are: cn (Common Name) and ui (user
identification).
shows a possible LDAP hierarchy for Example Corporation. Given this hierarchy, you could
Appendix E
Configuring an External Server for Authorization and Authentication
Root/Top
OU=Organization Units
Equipment
Groups/Departments
HR
cn=lynn
Users
Table E-1
shows two possible search configurations.
Search
Scope
One Level
Subtree
Naming
Attribute Result
cn=Terry Quicker search
cn=Terry Longer search
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
