Filter
Top Products
11-17
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 11 Working with User Databases
Generic LDAP
LDAP Organizational Units and Groups
LDAP groups do not need to have the same name as their corresponding
Cisco Secure ACS groups. The LDAP group can be mapped to a
Cisco Secure ACS group with any name you want to assign. For more information
about how your LDAP database handles group membership, see your LDAP
database documentation. For more information on LDAP group mappings and
Cisco Secure ACS, see the “Database Group Mappings” section on page 12-10.
Directed Authentications
You can configure Cisco Secure ACS to filter user authentications that it submits
to LDAP databases. Filtering is based on a string of characters either at the
beginning or end of the username submitted for authentication. This enables you
to have greater control over which LDAP instance Cisco Secure ACS submits user
authentication requests. For example, you could configure a different LDAP
instance per domain in your network and direct the authentications for each as
applicable.
Depending upon how an LDAP database is configured, the different LDAP
instances in Cisco Secure ACS can authenticate users using the same LDAP
database but with different contexts. Using directed authentications in
conjunction with this flexibility allows you to specify which user and group
directory subtrees the LDAP database uses to authenticate users of a given
domain.
LDAP Failover
Cisco Secure ACS supports failover between a primary server and secondary
LDAP server. In the context of LDAP authentication with Cisco Secure ACS,
failover applies when an authentication request fails because Cisco Secure ACS
could not connect to an LDAP server, such as when the server is down or is
otherwise unreachable by the Cisco Secure ACS server. To use this feature, you
must define the primary and secondary LDAP servers on the LDAP Database
Configuration page. Also, you must select the On Timeout Use Secondary check
box. For more information about configuring an LDAP external user database, see
the “Configuring a Generic LDAP External User Database” section on
page 11-19.