Configuring the LDAP Search Filter Attribute

When the LDAP-based login username-password authentication succeeds, the device searches the LDAP server for all groups of which the user is a member. The LDAP query is based on the following LDAP data structure:

■

Search base object (distinguished name or DN, e.g., "ou=ABC,dc=corp,dc=abc,dc=com"): The DN defines the location in the directory from which the LDAP search begins and is configured in Configuring LDAP DNs (Base Paths) per LDAP Server.

■

Filter (e.g., "(&(objectClass=person)(sAMAccountName=johnd))"): This filters the search in the subtree to include only the login username (and excludes others). This is configured by the 'LDAP Authentication Filter' parameter, as described in the following procedure. You must use the dollar ($) sign to represent the username. For example, when configured to "(sAMAccountName=$)" and the user attempts to log in with the username "SueM", the LDAP search is done only for the attribute sAMAccountName that equals "SueM".

■

Attribute (e.g., "memberOf") to return from objects that match the filter criteria: The attribute is configured by the 'Management Attribute' parameter in the LDAP Servers table (see Configuring LDAP Servers).

Therefore, the LDAP response includes only the groups of which the specific user is a member.

●

The search filter is applicable only to LDAP-based login authentication and authorization queries.

●

The search filter is a global setting that applies to all LDAP-based login authentication and authorization queries, across all configured LDAP servers.

➢

To configure the LDAP search filter for management users:

Open the LDAP Settings page (Setup menu > IP Network tab > AAA Servers folder > LDAP Settings).

In the 'LDAP Authentication Filter' field, enter the LDAP search filter attribute for searching the login username for user authentication:

Click Apply.