IBM BladeCenter Management Module User Manual page 51

3. To configure the search attributes, use the following information.
UID Search Attribute
When the binding method selected is Anonymous authentication or Client
authentication, the initial bind to the LDAP server is followed by a search
request directed at retrieving specific information about the user, including
the distinguished name, login permissions, and group ownerships of the
user. To retrieve this information, the search request must specify the
attribute name used to represent user IDs on that server. Specifically, this
name is used as a search filter against the login ID entered by the user.
This attribute name is configured here. If this field is left blank, a default of
UID is used during user authentication. For example, on Active Directory
servers, the attribute name used for user IDs is often sAMAccoutName.
When the binding method selected is User principal name or Strict user
principal name, the UID Search Attribute field defaults automatically to
userPrincipalName during user authentication if the user ID entered has the
form userid@somedomain.
Group Search Attribute
When the Group Filter name is configured, it is necessary to retrieve from
the LDAP server the list of groups to which a particular user belongs. This
is required to perform group authentication. To retrieve this list, the search
filter sent to the server must specify the attribute name associated with
groups. This field specifies this attribute name.
If this field is left blank, the attribute name in the filter will default to
memberOf.
Login Permission Attribute
When a user is successfully authenticated using an LDAP server, the login
permissions for this user must be retrieved. To retrieve these permissions,
the search filter sent to the server must specify the attribute name
associated with login permissions. This field specifies this attribute name.
If this field is left blank, the user is assigned a default of read-only
permissions, assuming user and group authentication passes. When
successfully retrieved, the attribute value returned by the LDAP server is
interpreted according to the following information:
v It must be a bit string entered as 12 consecutive zeros or ones, with
each bit representing a particular set of functions. For example:
010000000000 or 000011001000. The bits are numbered according to
their position. The leftmost bit is bit position 0, and the rightmost bit is bit
position 11. A value of 1 at a particular position enables that particular
function. A value of 0 disables that function. There are 12 available bits,
which are described in the following list:
– Deny Always (bit position 0): If set, a user will always fail
authentication. This function can be used to block a particular user or
users associated with a particular group.
– Supervisor Access (bit position 1): If set, a user is given administrator
privileges. The user has read and write access to every function.
When this bit is set, the other bits below do not have to be set
individually.
– Read Only Access (bit position 2): If set, a user has read-only access
and cannot perform any maintenance procedures (for example,
restart, remote actions, and firmware updates), and nothing can be
modified (using the save, clear, or restore functions). Note that
Chapter 3. Using the management-module Web interface
41