13-35
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Generic LDAP
If you choose to make use of domain filtering, each LDAP configuration you
create in Cisco Secure ACS can perform domain filtering in one of two ways:
•
Limiting users to one domain
—Per each LDAP configuration in
Cisco Secure ACS, you can require that Cisco Secure ACS only attempts to
authenticate usernames that are qualified with a specific domain name. This
corresponds to the “Only process usernames that are domain qualified”
option on the LDAP Configuration page. For more information about this
option, see
LDAP Configuration Options, page 13-37
.
With this option, each LDAP configuration is limited to one domain and to
one type of domain qualification. You can specify whether Cisco Secure ACS
strips the domain qualification before submitting the username to an LDAP
server. If the LDAP server stores usernames in a domain-qualified format,
you should not configure Cisco Secure ACS to strip domain qualifiers.
Limiting users to one domain is useful when the LDAP server stores
usernames differently per domain, either by user context or by how the
username is stored in Cisco Secure ACS—domain qualified or non-domain
qualified. The end-user client or AAA client must submit the username to
Cisco Secure ACS in a domain-qualified format, otherwise Cisco Secure
ACS cannot determine the user’s domain and does not attempt to authenticate
the user with the LDAP configuration that uses this form of domain filtering.
•
Allowing any domain but stripping domain qualifiers
—Per each LDAP
configuration in Cisco Secure ACS, you can configure Cisco Secure ACS to
attempt to strip domain qualifiers based on common domain-qualifier
delimiting characters. This corresponds to the “Process all usernames after
stripping domain name and delimiter” option on the LDAP Configuration
page. For more information about this option, see
LDAP Configuration
Options, page 13-37
.
Cisco Secure ACS supports both prefixed and suffixed domain qualifiers. A
single LDAP configuration can attempt to strip both prefixed and suffixed
domain qualifiers; however, you can only specify one delimiting character
each for prefixed and suffixed domain qualifiers. To support more than one
type of domain-qualifier delimiting character, you can create more than one
LDAP configuration in Cisco Secure ACS.
Allowing usernames of any domain but stripping domain qualifiers is useful
when the LDAP server stores usernames in a non-domain qualified format but
the AAA client or end-user client submits the username to Cisco Secure ACS
in a domain-qualified format.