User contexts – Cisco 3.3 User Manual

13-51

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 13 User Databases

Novell NDS Database

For users to authenticate against a Novell NDS database, Cisco Secure ACS must
be correctly configured to recognize the Novell NDS structure. Cisco Secure ACS
supports up to twenty Novell NDS trees. Each Novell NDS tree configuration can
support a list of user contexts. For a user to authenticate against a Novell NDS
context, the applicable user object must exist in one of the contexts provided and
the user password must be able to log the name into the tree.

User Contexts

You must supply one or more contexts when you configure Cisco Secure ACS to
authenticate with an NDS database; however, users can supply an additional
portion of the full context that defines their fully qualified usernames. In other
words, if none of the contexts in the list of contexts contains a username submitted
for authentication, the username must specify exactly how they are subordinate to
the contexts in the list of contexts. The user specifies the manner in which a
username is subordinate to a context by providing the additional context
information needed to uniquely identify the user in the NDS database.

Consider the following example tree:

[Root] whose treename=ABC

OU=ABC-Company

OU=sales

CN=Agamemnon

OU=marketing

CN=Odysseus

OU=marketing-research

CN=Penelope

OU=marketing-product

CN=Telemachus

If the context list configured in Cisco Secure ACS were:

ABC-Company,sales.ABC-Company

Agamemnon would successfully authenticate if he submitted “Agamemnon.sales”
as his username. If he submitted only “Agamemnon”, authentication would fail.

Table 13-1

lists the users given in the example tree and the username with context

that would allow each user to authenticate successfully.