11-19
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 11 Working with User Databases
Generic LDAP
Cisco Secure ACS receives username without a domain qualifier. If both clients
are to be authenticated with an LDAP database that stores usernames without
domain qualifiers, Cisco Secure ACS can strip the domain qualifier. If separate
user accounts are maintained in the LDAP database—both domain-qualified and
non-domain-qualified user accounts—Cisco Secure ACS can pass usernames to
the LDAP database without domain filtering.
If you choose to make use of domain filtering, each LDAP configuration you
create in Cisco Secure ACS can perform domain filtering in one of two ways:
•
Limiting users to one domain—Per each LDAP configuration in
Cisco Secure ACS, you can require that Cisco Secure ACS only attempts to
authenticate usernames that are qualified with a specific domain name. This
corresponds to the “Only process usernames that are domain qualified”
option on the LDAP Configuration page. For more information about this
option, see
LDAP Configuration Options, page 11-22
.
With this option, each LDAP configuration is limited to one domain and to
one type of domain qualification. You can specify whether Cisco Secure ACS
strips the domain qualification before submitting the username to an LDAP
server. If the LDAP server stores usernames in a domain-qualified format,
you should not configure Cisco Secure ACS to strip domain qualifiers.
Limiting users to one domain is useful when the LDAP server stores
usernames differently per domain, either by user context or by how the
username is stored in Cisco Secure ACS—domain qualified or non-domain
qualified. The end-user client or AAA client must submit the username to
Cisco Secure ACS in a domain-qualified format, otherwise
Cisco Secure ACS cannot determine the user’s domain and does not attempt
to authenticate the user with the LDAP configuration that uses this form of
domain filtering.
•
Allowing any domain but stripping domain qualifiers—Per each LDAP
configuration in Cisco Secure ACS, you can configure Cisco Secure ACS to
attempt to strip domain qualifiers based on common domain-qualifier
delimiting characters. This corresponds to the “Process all usernames after
stripping domain name and delimiter” option on the LDAP Configuration
page. For more information about this option, see
LDAP Configuration
Options, page 11-22
.
Cisco Secure ACS supports both prefixed and suffixed domain qualifiers. A
single LDAP configuration can attempt to strip both prefixed and suffixed
domain qualifiers; however, you can only specify one delimiting character