Chapter 11 Working with User Databases
Generic LDAP
11-22
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
If Cisco Secure ACS cannot connect to either LDAP server, Cisco Secure ACS
stops attempting LDAP authentication for the user. If the user is an unknown user,
Cisco Secure ACS tries the next external user database listed in the Unknown
User Policy list. For more information about the Unknown User Policy list, see
Unknown User Processing, page 12-1
.
LDAP Configuration Options
The LDAP Database Configuration page contains many options, presented in
three tables:
•
Domain Filtering—This table contains options for domain filtering. The
settings in this table affect all LDAP authentication performed using this
configuration, regardless of whether the authentication is handled by the
primary or secondary LDAP server. For more information about domain
filtering, see
Domain Filtering, page 11-18
.
This table contains the following options:
–
Process all usernames—When this option is selected,
Cisco Secure ACS does not perform domain filtering on usernames
before submitting them to the LDAP server for authentication.
–
Only process usernames that are domain qualified—When this option
is selected, Cisco Secure ACS only attempts authentication for
usernames that are domain qualified for a single domain. You must
specify the type of domain qualifier and the domain in the “Qualified by”
and Domain options. Cisco Secure ACS only submits usernames that are
qualified in the method specified in the “Qualified by” option and that are
qualified with the username specified in the Domain Qualifier box. You
can also specify whether Cisco Secure ACS removes the domain
qualifier from usernames before submitting them to an LDAP server.
–
Qualified by—When “Only process usernames that are domain
qualified” is selected, this option specifies the type of domain
qualification. If you select Prefix, Cisco Secure ACS only processes
usernames that begin with the characters specified in the Domain
Qualifier box. If you select Suffix, Cisco Secure ACS only processes
usernames that end in the characters specified in the Domain Qualifier
box.