H3C Technologies H3C Intelligent Management Center User Manual
Page 398
380
Click the Move down icon for an AD group to reduce its priority.
Click the Move Up icon for an AD group to raise its priority.
g.
Click Next to enter the page for configuring LDAP user parameters.
Rules for assigning services to LDAP users
UAM uses the following rules to assign services to an LDAP user in only one AD group:
{
Assigns the services in the AD group to the user.
{
Assigns the services in its parent AD group to the user, if the AD group has no service. If the
parent AD group has no services, it moves up until an AD group is found having services or the
specified maximum number of AD group layers is reached.
{
Assigns the default service to the user, if none of the AD group layers has services.
UAM uses the following rules to assign services to an LDAP user in more than one AD group:
{
If at least two of the AD groups are associated a service, it compares the priorities of AD groups,
and assigns the services of a higher priority AD group to the user.
{
If none of the AD groups has services, it searches their respective parent AD groups for services.
If only one parent AD group has services, it assigns the services to the user. If at least two parent
AD groups are associated a service each, it compares the priorities of the AD groups and
assigns the services of the group with a higher priority to the user. If none of their parent AD
groups has services, it moves up the chains of AD groups until one AD group is found having
services or the specified maximum number of AD group layers is reached.
{
If none of the AD group layers has services, it assigns the default service to the user.
Look at the AD group tree hierarchy in
. For users in group C1, the AD group chain
available for service assignment is C1 > B1 > A. For users in C5 group, the AD group chain
available for service assignment is C5 > B2 > A. UAM moves up the chains to search services for
the users.
Suppose the Service Query Level is 3, group C1 (AD group priority 2) has service L1S1, group C2
has no service, group C4 (AD group priority 3) has service L1S4, group C5 has no service, group
B1 has service L2S1, group B2 has no service, and group A has service L3S.
For users only in group C1, UAM assigns service L1S1. For users in groups C1 and C4, UAM
assigns service L1S4, because group C4 is at the same layer as C1 but has higher LDAP priority.
For users in group C2, UAM assigns service L2S1, the service of group B1, because even though
group C2 has no service, its parent group (group B1) has the service and is below the top layer set
by Service Query Level. For users in group C5, UAM assigns service L3S (the service of group A),
because the two lower-layer AD groups in the AD group chain (C5 -> B2 -> A) have no services,
and group A is the top layer set by Service Query Level.