Chapter 4: Web Interface Operations 57
LDAP Query parameters
On the LDAP Query page, you can configure the parameters used when performing user
authentication queries.
The appliance performs two different types of queries. Query Mode (Appliance) is used to
authenticate administrators and users attempting to access the appliance itself. Query Mode (Target
Device) is used to authenticate users that are attempting to access attached target devices.
Additionally, each type of query has three modes that utilize certain types of information to
determine whether or not an LDAP user has access to an appliance or connected target devices. See
Appliance and Target Device Query Modes on page 58 for detailed information on each mode.
You can configure the following settings on the LDAP Query Page:
• The Query Mode (Appliance) parameters determine whether or not a user has access to
the
appliance.
• The Query Mode (Target Device) parameters determine whether or not a user has user access
to target devices connected to an appliance. The user does not have access to the appliance,
unless granted by Query Mode (Appliance).
• The Group Container, Group Container Mask and Target Mask fields are only used for group
query modes and are required when performing an appliance or device query.
• The Group Container field specifies the organizational unit (ou) created in Active Directory by
the administrator as the location for group objects. Group objects are Active Directory objects
that can contain users, computers, contacts and other groups. Group Container is used when
Query Mode is set to Group Attribute. Each group object, in turn, is assigned members to
associate with a particular access level for member objects (people, appliances and target
devices). The access level associated with a group is configured by setting the value of an
attribute in the group object. For example, if the Notes property in the group objects is used to
implement the access control attribute, the Access Control Attribute field on the LDAP Query
Page should be set to info. Setting the Notes property to KVM User Admin causes the
members of that group to have user administration access to the appliances and target devices
that are also members of that same group.
• The Notes property is used to implement the access control attribute. The value of the Notes
property, available in group and user objects shown in Active Directory Users and Computers
(ADUC), is stored internally in the directory, in the value of the info attribute. ADUC is a
Microsoft Management Console snap-in for configuring Active Directory. It is started by
selecting Start - Programs - Administrative Tools - Active Directory Users and Computers.
This tool is used to create, configure and delete objects such as users, computers and groups.
See
Figure 4.6 on page 59 and Figure 4.7 on page 60 for more information.
• The Group Container Mask field defines the object type of the Group Container, which is
normally an organizational unit. The default value is “ou=%1”.
• The Target Mask field defines a search filter for the target device. The default value is
“cn=%1”.