Lenovo RD220 - ThinkServer - 3798 User Manual page 41

On Active Directory servers, this attribute name is usually
sAMAccountName. On Novell eDirectory and OpenLDAP servers, it is
usually uid. If this field is left blank, it defaults to uid.
Group Filter
This field is used for group authentication. Group authentication is
attempted after the user's credentials are successfully verified. If group
authentication fails, the user's attempt to log on is denied. When the
group filter is configured, it is used to specify to which groups the service
processor belongs. This means that the user must belong to at least one of
the groups that are configured for group authentication to succeed.
If the Group Filter field is left blank, group authentication automatically
succeeds. If the group filter is configured, an attempt is made to match at
least one group in the list to a group to which the user belongs. If there is
no match, the user fails authentication and is denied access. If there is at
least one match, group authentication is successful. The comparisons are
case sensitive.
The filter is limited to 511 characters and can consist of one or more
group names. The colon (:) character must be used to delimit multiple
group names. Leading and trailing spaces are ignored, but any other
space is treated as part of the group name. A selection to allow or not
allow the use of wildcards in the group name is provided. The filter can
be a specific group name (for example, IMMWest), a wildcard (*) that
matches everything, or a wildcard with a prefix (for example, IMM*). The
default filter is IMM*. If security policies in your installation prohibit the
use of wildcards, you can choose to not allow the use of wildcards, and
the wildcard character (*) is treated as a normal character instead of the
wildcard.
A group name can be specified as a full DN or using only the cn portion.
For example, a group with a DN of
cn=adminGroup,dc=mycompany,dc=com can be specified using the actual
DN or with adminGroup.
For Active Directory environments only, nested group membership is
supported. For example, if a user is a member of GroupA and GroupB
and GroupA is a member of GroupC, the user is said to be a member of
GroupC also. Nested searches stop if 128 groups have been searched.
Groups in one level are searched before groups in a lower level. Loops
are not detected.
Binding Method
Before the LDAP server can be searched or queried, a bind request must
be sent. This parameter controls how this initial bind to the LDAP server
is performed. Choose from the following three options:
– Anonymously. Bind without a DN or password. This option is
strongly discouraged because most servers are configured to not allow
search requests on specific user records.
– w/ Configured Credentials. Bind with configured client DN and
password.
– w/ Login Credentials. Bind with the credentials that are supplied
during the login process. The user ID can be provided through a
Distinguished Name, a fully qualified domain name, or a user ID that
matches the UID Search Attribute that is configured on the IMM.
If the initial bind is successful, a search is performed to find an entry on
the LDAP server that belongs to the user who is logging in. If necessary,
Chapter 3. Configuring the IMM
35