AudioCodes Mediant 4000 SBC User Manual page 249

CHAPTER 16 Services
CN=\# Support Dept,OU=R&D
Groups,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC=com
CN=\#AllCellular,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC
=com
The device then assigns the user the access level configured for that group (in
Access Level per Management Groups
to search for the user's member group(s) is configured using the following:
● Search base object (distinguished name or DN, e.g.,
"ou=ABC,dc=corp,dc=abc,dc=com"), which defines the location in the directory from
where the LDAP search begins and is configured in
per LDAP
● Search filter, for example, (&(objectClass=person)(sAMAccountName=JohnD)), which
filters the search in the subtree to include only the specific username. The search filter can
be configured with the dollar ($) sign to represent the username, for example,
(sAMAccountName=$). To configure the search filter, see
Filter
● Management attribute (e.g., memberOf), from where objects that match the search filter
criteria are returned. This shows the user's member groups. The attribute is configured in
the LDAP Servers table (see
If the device finds a group, it assigns the user the corresponding access level and permits login;
otherwise, login is denied. Once the LDAP response has been received (success or failure), the
device ends the LDAP session.
■ LDAP-based Management services: This LDAP service works together with the LDAP-
based management account (described above), allowing you to use different LDAP service
accounts for user authentication and user authorization:
● Management-type LDAP server: This LDAP server account is used only for user
authentication. For more information about how it works, see Management-related LDAP
Queries, above.
● Management Service-type LDAP server: This LDAP server account is used only for user
authorization (i.e., the user's management access level and privileges). The device has an
always-on connection with the LDAP server and uses a configured (fixed) LDAP
username (Bind Name) and password. Only if user authentication succeeds, does the
device query this Management Service-type LDAP server account for user authorization.
Thus, management groups and DNs are configured only for this LDAP server account
(instead of for the regular LDAP-based management account).
Therefore, user authorization is done only by a specific LDAP "administrator", which has a fixed
username and password. In contrast, user authentication is done by the user itself (i.e., binding
to the LDAP account with each user's username and password). Having a dedicated LDAP
account for user authorization may provide additional security to the network by preventing
users from accessing the authorization settings in the LDAP server.
For all the previously discussed LDAP services, the following additional LDAP functionality is
supported:
■ Search method for searching DN object records between LDAP servers and within each LDAP
server (see
■ Default access level that is assigned to the user if the queried response does not contain an
access level.
■ Local Users table for authenticating users instead of the LDAP server (for example, when a
communication problem occurs with the server). For more information, see
Database for Management User
Server.
Attribute.
Configuring LDAP
Configuring LDAP Search
Authentication.
Attributes). The location in the directory where you want
Configuring LDAP DNs (Base Paths)
Servers).
Methods).
- 216 -
Mediant 4000 SBC | User's Manual
Configuring
Configuring the LDAP Search
Configuring Local