11-35
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 11 Working with User Databases
Novell NDS Database
For users to authenticate against a Novell NDS database, Cisco Secure ACS must
be correctly configured to recognize the Novell NDS structure. Cisco Secure ACS
supports up to twenty trees. Each tree has several containers, and each container
can have several contexts. NDS trees can be thought of as similar to
Windows NT/2000 domains. For a user to authenticate against a Novell NDS
context, a user object must exist, and the password must be able to log the name
into the tree.
User Contexts
You must supply one or more contexts when you configure Cisco Secure ACS to
authenticate with an NDS database; however, users can supply an additional
portion of the full context that defines their fully-qualified usernames. In other
words, if none of the contexts in the list of contexts contains a username submitted
for authentication, the username must specify exactly how they are subordinate to
the contexts in the list of contexts. The user specifies the manner in which a
username is subordinate to a context by providing the additional context
information needed to uniquely identify the user in the NDS database.
Consider the following example tree:
[Root] whose treename=ABC
OU=ABC-Company
OU=sales
CN=Agamemnon
OU=marketing
CN=Odysseus
OU=marketing-research
CN=Penelope
OU=marketing-product
CN=Telemachus
If the context list configured in Cisco Secure ACS were:
ABC-Company,sales.ABC-Company
Agamemnon would successfully authenticate if he submitted “Agamemnon.sales”
as his username. If he submitted only “Agamemnon”, authentication would fail.
Table 11-1
lists the users given in the example tree and the username with context
that would allow each user to authenticate successfully.