Multiple ldap instances – Cisco 3.3 User Manual

Page 517

Advertising
background image

13-33

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 13 User Databases

Generic LDAP

LDAP Failover, page 13-36

LDAP Configuration Options, page 13-37

Configuring a Generic LDAP External User Database, page 13-43

Cisco Secure ACS Authentication Process with a Generic LDAP
User Database

Cisco Secure ACS forwards the username and password to an LDAP database
using a TCP connection on a port that you specify. The LDAP database either
passes or fails the authentication request from Cisco Secure ACS. Upon receiving
the response from the LDAP database, Cisco Secure ACS instructs the requesting
AAA client to grant or deny the user access, depending upon the response from
the LDAP server.

Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the LDAP server, it is Cisco Secure ACS that
grants authorization privileges.

Multiple LDAP Instances

You can create more than one LDAP configuration in Cisco Secure ACS. By
creating more than one LDAP configuration with different IP address or port
settings, you can configure Cisco Secure ACS to authenticate using different
LDAP servers or using different databases on the same LDAP server. Each
primary server IP address and port configuration, along with the secondary server
IP address and port configuration, forms an LDAP instance that corresponds to
one Cisco Secure ACS LDAP configuration instance.

Cisco Secure ACS does not require that each LDAP instance corresponds to a
unique LDAP database. You can have more than one LDAP configuration set to
access the same database. This is useful when your LDAP database contains more
than one subtree for users or groups. Because each LDAP configuration supports
only one subtree directory for users and one subtree directory for groups, you
must configure separate LDAP instances for each user directory subtree and group
directory subtree combination for which Cisco Secure ACS should submit
authentication requests.

Advertising
Popular Brands
Popular manuals