Support User Manuals

Cisco Systems OL-24201-01 Camera Accessories User Manual

Open as PDF

of 650

8-25

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Possible reasons for an LDAP server to return bind (authentication) errors are:

–

Filtering errors—A search using filter criteria fails.

–

Parameter errors—Invalid parameters were entered.

–

User account is restricted (disabled, locked out, expired, password expired, and so on).

The following errors are logged as external resource errors, indicating a possible problem with the LDAP

server:

• A connection error occurred.

• The timeout expired.

• The server is down.

• The server is out of memory.

The following error is logged as an Unknown User error:

A user does not exist in the database.

The following error is logged as an Invalid Password error, where the user exists, but the password sent

is invalid:

An invalid password was entered.

Group Membership Information Retrieval

For user authentication, user lookup, and MAC address lookup, ACS must retrieve the group

membership information from LDAP databases. LDAP servers represent the association between a

subject (a user or a host) and a group in one of the following two ways:

• Groups Refer to Subjects—The group objects contain an attribute that specifies the subject.

Identifiers for subjects can be stored in the group as:

–

Distinguished Names (DNs)

–

Plain usernames

• Subjects Refer to Groups—The subject objects contain an attribute that specify the group they

belong to.

LDAP identity stores contain the following parameters for group membership information retrieval:

• Reference Direction—Specifies the method to use when determining group membership (either

Groups to Subjects or Subjects to Groups).

• Group Map Attribute—Indicates which attribute contains the group membership information.

• Group Object Class—Determines that we recognize certain objects as groups.

• Group Search Subtree—Indicates the search base for group searches.

• Member Type Option—Specifies how members are stored in the group member attribute (either as

DNs or plain usernames).

Attributes Retrieval

For user authentication, user lookup, and MAC address lookup, ACS must retrieve the subject attributes

from LDAP databases. For each instance of an LDAP identity store, an identity store dictionary is

created. These dictionaries support attributes of the following data types:

• String

previous next