Configuring Access Level per Management Groups Attributes
The Management LDAP Groups table lets you configure LDAP group objects and their corresponding management user access level. The table is a "child" of the LDAP Servers table (see Configuring LDAP Servers) and configuration is done per LDAP server. For each LDAP server, you can configure up to three row entries of LDAP group(s) with their corresponding access level (only one row can be configured for each level).
● | The Management LDAP Groups table is applicable only to LDAP-based login authentication and authorization queries. |
● | If the LDAP response received by the device includes multiple groups of which the user is a member and you have configured different access levels for some of these groups, the device assigns the user the highest access level. For example, if the user is a member of two groups where one has access level Monitor and the other Admin, the device assigns the user the Admin access level. |
● | When the access level is unknown, the device assigns the default access level to the user, configured by the 'Default Access Level' parameter as used also for RADIUS (see Configuring RADIUS-based User Authentication). This can occur in the following scenarios: |
✔ | The user is not a member of any LDAP group. |
✔ | The group of which the user is a member is not configured on the device (as described in this section). |
✔ | The device is not configured to query the LDAP server for a management attribute (see Configuring LDAP Servers). |
Group objects represent groups in the LDAP server of which the user is a member. The access level represents the user account's permissions and rights in the device's management interface (e.g., Web and CLI). The access level can either be Monitor, Admin, or Security Admin. For an explanation on the privileges of each level, see Configuring Management User Accounts.
When the username-password authentication with the LDAP server succeeds, the device searches the LDAP server for all groups of which the user is a member. The LDAP query is based on the following LDAP data structure:
■ | Search base object (distinguished name or DN, e.g., "ou=ABC,dc=corp,dc=abc,dc=com"), which defines the location in the directory from which the LDAP search begins. This is configured in Configuring LDAP DNs (Base Paths) per LDAP Server. |
■ | Filter (e.g., "(&(objectClass=person)(sAMAccountName=johnd))"), which filters the search in the subtree to include only the login username (and excludes others). For configuration, see Configuring the LDAP Search Filter Attribute. |
■ | Attribute (e.g., "memberOf") to return from objects that match the filter criteria. This attribute is configured by the 'Management Attribute' parameter in the LDAP Servers table. |
The LDAP response includes all the groups of which the specific user is a member, for example:
CN=\# Support Dept,OU=R&D Groups,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC=com
CN=\#AllCellular,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC=com
The device searches this LDAP response for the group names that you configured in the Management LDAP Groups table to determine the user's access level. If the device finds a group name, the user is assigned the corresponding access level and login is permitted; otherwise, login is denied. Once the LDAP response has been received (success or failure), the LDAP session terminates.
The following procedure describes how to configure an access level per management groups through the Web interface. You can also configure it through ini file [MgmntLDAPGroups] or CLI (configure system > ldap-configuration > mgmt-ldap-groups).
➢ | To configure management groups and corresponding access level: |
1. | Open the LDAP Servers table (Setup menu > IP Network tab > AAA Servers folder > LDAP Servers). |
2. | In the table, select the row of the LDAP server for which you want to configure management groups with a corresponding access level, and then click the Management LDAP Groups link located below the table; the Management LDAP Groups table opens. |
3. | Click New; the following dialog box appears: |
4. | Configure a group name(s) with a corresponding access level according to the parameters described in the table below. |
5. | Click Apply, and then save your settings to flash memory. |
Management LDAP Groups Table Parameter Descriptions
Parameter |
Description |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|
'Index' [MgmntLDAPGroups_GroupIndex] |
Defines an index number for the new table row. Note: Each row must be configured with a unique index. |
|||||||||
'Level' level [MgmntLDAPGroups_Level] |
Defines the access level of the group(s).
Note: You can configure only one row in the Management LDAP Groups table per access level. |
|||||||||
'Groups' groups [MgmntLDAPGroups_Group] |
Defines the attribute names of the groups in the LDAP server. The valid value is a string of up to 256 characters. To define multiple groups, separate each group name with a semicolon (;). Note: The value is case-insensitive. |