LDAP accounts

The system assigns LDAP accounts to groups of users and controls the access at the group level. You assign access levels to the groups on the Lightweight Directory Access Protocol (LDAP) server by using role mapping. By default, no mappings are configured, which means that if you have configured the system so that the LDAP server manages both authentication and authorization, members of LDAP-managed account groups have no access to the system.

The following topics provide information and instructions about working with LDAP accounts:

The system can integrate with the following LDAP servers:

  • Microsoft Windows Server 2003 Active Directory
  • OpenLDAP (slapd)
  • Oracle Application Server

A user with the Security role can configure the system to automatically create Observer accounts for users that are registered on the LDAP server. When this feature is enabled, you do not need to add accounts administratively for remotely authenticated or authorized users.

The following approaches are possible:

  • Hybrid — The system only authenticates LDAP users. These users acquire Observer accounts.
  • Full — LDAP users are authenticated and authorized. These users acquire accounts that are associated with the roles mapped to their LDAP group. If no explicit role mapping exits, they acquire accounts that are associated with the "catch-all" role (configurable in the Role mapping view of the Accounts and LDAP management page).

Note

Use role mapping only when the LDAP server is managing authorization for the device.

Related topics

Adding-a-role-mapping-rule
Creating-an-LDAP-managed-account
Creating-a-local-account

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*