Table Of Contents

Configuring an External Server for Authorization and Authentication

Understanding Policy Enforcement of Permissions and Attributes

Configuring an External LDAP Server

Reviewing the LDAP Directory Structure and Configuration Procedure

Organizing the Security Appliance LDAP Schema

Searching the Hierarchy

Binding the Security Appliance to the LDAP Server

Defining the Security Appliance LDAP Schema

Cisco-AV-Pair Attribute Syntax

Example Security Appliance Authorization Schema

Loading the Schema in the LDAP Server

Defining User Permissions

Example User File

Reviewing Examples of Active Directory Configurations

Example 1: Configuring LDAP Authorization with Microsoft Active Directory

Example 2: Configuring LDAP Authentication with Microsoft Active Directory

Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory

Configuring an External RADIUS Server

Reviewing the RADIUS Configuration Procedure

Security Appliance RADIUS Authentication Attributes

Configuring an External TACACS+ Server

Configuring an External Server for Authorization and Authentication

---

This appendix describes how to configure an external LDAP, RADIUS, or TACACS+ server to support AAA on the security appliance. Before you configure the security appliance to use an external server, you must configure the server with the correct security appliance authorization attributes and, from a subset of these attributes, assign specific permissions to individual users.

This appendix includes the following sections:

•Understanding Policy Enforcement of Permissions and Attributes

•Configuring an External LDAP Server

•Configuring an External RADIUS Server

•Configuring an External TACACS+ Server

Understanding Policy Enforcement of Permissions and Attributes

You can configure the security appliance to apply user attributes obtained from a RADIUS or LDAP authentication server, user attributes set in group policies on the security appliance, or both. If the security appliance receives attributes from both sources, the attributes are aggregated and applied to the user policy. If there are conflicts between attributes coming from the server and from a group policy, those attributes obtained from the Dynamic Access Policy (DAP) always take precedence.

To summarize, the VPN permission policy for user authorization is the aggregate of the DAP access attributes and the group-policy inheritance hierarchy.

The security appliance applies attributes in the following order:

1. DAP attributes—Take precedence over all others.

2. User attributes—The AAA server returns these after successful user authentication or authorization.

3. Group policy attributes —These attributes come from the group policy associated with the user. You identify the user group policy name in the local database by the vpn-group-policy attribute or from a RADIUS or LDAP server by the value of the RADIUS CLASS attribute (25) in the OU=GroupName. The group policy provides any attributes that are missing from the DAP or user attributes.

4. Connection profile (tunnel group) default-group-policy attributes —These attributes come from the default group policy associated with the connection profile. This group policy provides any attributes that are missing from the DAP, user or group policy.

5. System default attributes—System default attributes provide any values that are missing from the DAP, user, group policy, or connection profile.

Configuring an External LDAP Server

This section describes the structure, schema, and attributes of an LDAP server. It includes the following topics:

•Reviewing the LDAP Directory Structure and Configuration Procedure

•Organizing the Security Appliance LDAP Schema

•Defining the Security Appliance LDAP Schema

•Loading the Schema in the LDAP Server

•Defining User Permissions

•Reviewing Examples of Active Directory Configurations

---

Note For more information on the LDAP protocol, see RFCs 1777, 2251, and 2849.

---

Reviewing the LDAP Directory Structure and Configuration Procedure

An LDAP server stores information as entries in a directory. An LDAP schema defines what types of information such entries store. The schema lists classes and the set of required and optional attributes that objects of each class can contain.

To configure your LDAP server to interoperate with the security appliance, define a security appliance authorization schema. A security appliance authorization schema defines the class and attributes of that class that the security appliance supports. Specifically, it comprises the object class (User-Authorization) and all its possible attributes that may be used to authorize a security appliance user (such as access hours, primary DNS, and so on). Each attribute comprises the attribute name, number (called an object identifier or OID), type, and possible values.

Once you have defined the security appliance authorization schema and loaded it on your server, define the security appliance attributes and permissions and their respective values for each user who will be authorize use of the server.

In summary, to set up your LDAP server:

•Design your security appliance LDAP authorization schema based on the hierarchical set-up of your organization.

•Define the security appliance authorization schema.

•Load the schema on the LDAP server.

•Define permissions for each user on the LDAP server.

The specific steps of these processes vary, depending on which type of LDAP server you are using.

Organizing the Security Appliance LDAP Schema

This section describes how to perform searches within the LDAP hierarchy and authenticated binding to the LDAP server on the security appliance. It includes the following topics:

•Searching the Hierarchy

•Binding the Security Appliance to the LDAP Server

Before you actually create your schema, think about how your organization is structured. Your LDAP schema should reflect the logical hierarchy of your organization.

For example, suppose an employee at your company, Example Corporation, is named Terry. Terry works in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a shallow, single-level hierarchy in which Terry is considered a member of Example Corporation. Or, you could set up a multi-level hierarchy in which Terry is considered to be a member of the department Engineering, which is a member of an organizational unit called People, which is itself a member of Example Corporation. See Figure E-1 for an example of this multi-level hierarchy.

A multi-level hierarchy has more granularity, but a single level hierarchy is quicker to search.

Figure E-1 A Multi-Level LDAP Hierarchy

Searching the Hierarchy

The security appliance lets you tailor the search within the LDAP hierarchy. You configure the following three fields on the security appliance to define where in the LDAP hierarchy your search begins, the extent, and the type of information it is looking for. Together these fields allow you to limit the search of the hierarchy to only the part of the tree that contains the user permissions.

•LDAP Base DN defines where in the LDAP hierarchy the server should begin searching for user information when it receives an authorization request from the security appliance.

•Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the level immediately below, or it can search the entire subtree. A single level search is quicker, but a subtree search is more extensive.

•Naming Attribute(s) defines the RDN that uniquely identifies an entry in the LDAP server. Common naming attributes are: cn (Common Name) and ui (user identification).

Figure E-1 shows a possible LDAP hierarchy for Example Corporation. Given this hierarchy, you could define your search in different ways. Table E-1 shows two possible search configurations.

In the first example configuration, when Terry establishes the IPSec tunnel with LDAP authorization required, the security appliance sends a search request to the LDAP server indicating it should search for Terry in the Engineering group. This search is quick.

In the second example configuration, the security appliance sends a search request indicating the server should search for Terry within Example Corporation. This search takes longer.

Table E-1 Example Search Configurations

#	LDAP Base DN	Search Scope	Naming Attribute	Result
1	group= Engineering,ou=People,dc=ExampleCorporation, dc=com	One Level	cn=Terry	Quicker search
2	dc=ExampleCorporation,dc=com	Subtree	cn=Terry	Longer search

Binding the Security Appliance to the LDAP Server

Some LDAP servers (including the Microsoft Active Directory server) require the security appliance to establish a handshake via authenticated binding before they accept requests for any other LDAP operations. The security appliance identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field defines the authentication characteristics of the security appliance; these characteristics should correspond to those of a user with administrative privileges. An example Login DN field could be: cn=Administrator, cn=users, ou=people, dc=example, dc=com.

Defining the Security Appliance LDAP Schema

This section describes how to define the LDAP schema and AV-pair attribute syntax. It includes the following topics:

•Cisco-AV-Pair Attribute Syntax

•Example Security Appliance Authorization Schema

Once you have decided how to structure your user information in the LDAP hierarchy, define this organization in a schema. To define the schema, begin by defining the object class name. The class name for the security appliance directory is User-Authorization. The class has the object identifier (OID) 1.2.840.113556.1.8000.795.1.1. Every entry or user in the directory is an object of this class.

Some LDAP servers (for example, the Microsoft Active Directory LDAP server) do not allow you to reuse the class OID once you have defined it. Use the next incremental OID. For example, if you incorrectly defined the class name as Usr-Authorization with OID 1.2.840.113556.1.8000.795.1.1, you can enter the correct class name User-Authorization with the next OID, for example, 1.2.840.113556.1.8000.795.1.2.

For the Microsoft Active Directory LDAP server, define the schema in text form in a file using the LDAP Data Interchange Format (LDIF). This file has an extension of .ldif, for example: schema.ldif. Other LDAP servers use graphical user interfaces or script files to define the object class and its attributes. For more information on LDIF, see RFC-2849.

---

Note The appliances enforce the LDAP attributes based on attribute name, not numeric ID. RADIUS attributes, on the other hand, are enforced by numeric ID, not by name.

Authorization refers to the process of enforcing permissions or attributes. An LDAP server defined as an authentication or authorization server will enforce permissions or attributes if they are configured.

---

For a complete list of attributes for the security appliance, see Table E-2.

All strings are case-sensitive and you must use an attribute name as capitalized in the table even if it conflicts with how a term is typically written.

---

Note For software Version 7.0, LDAP attributes include the cVPN3000 prefix. For Version 7.1 and later, this prefix was removed.

---

Table E-2 Security Appliance Supported LDAP Cisco Schema Attributes  

Attribute Name/ OID (Object Identifier)	ASA	PIX	Attr. OID1	Syntax/ Type	Single or Multi- Valued	Possible Values
Access-Hours	Y	Y	1	String	Single	Name of the time-range (for example, Business-Hours)
Allow-Network-Extension- Mode	Y	Y	46	Boolean	Single	0 = Disabled 1 = Enabled
Authenticated-User-Idle- Timeout	Y	Y	36	Integer	Single	1 - 35791394 minutes
Authorization-Required			67	Integer	Single	0 = No 1 = Yes
Authorization-Type			68	Integer	Single	0 = None 1 = RADIUS 2 = LDAP
Auth-Service-Type
Cisco-AV-Pair	Y	Y	48	String	Multi	An octet string in the following format: [Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port] For more information, see "Cisco-AV-Pair Attribute Syntax."
Cisco-IP-Phone-Bypass	Y	Y	37	Integer	Single	0 = Disabled 1 = Enabled
Cisco-LEAP-Bypass	Y	Y	53	Integer	Single	0 = Disabled 1 = Enabled
Client-Intercept-DHCP- Configure-Msg	Y	Y	44	Boolean	Single	0 = Disabled 1 = Enabled
Client-Type-Version-Limiting	Y	Y	55	String	Single	IPSec VPN client version number string
Confidence-Interval	Y	Y	52	Integer	Single	10 - 300 seconds
DHCP-Network-Scope	Y	Y	54	String	Single	IP address
DN-Field	Y	Y	69	String	Single	Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name.
Firewall-ACL-In	Y	Y	93	String	Single	Access list ID
Firewall-ACL-Out	Y	Y	94	String	Single	Access list ID
IKE-DPD-Retry-Interval
IKE-Keep-Alives	Y	Y	29	Boolean	Single	0 = Disabled 1 = Enabled
IPSec-Allow-Passwd-Store	Y	Y	12	Boolean	Single	0 = Disabled 1 = Enabled
IPSec-Authentication			10	Integer	Single	0 = None 1 = RADIUS 2 = LDAP (authorization only) 3 = NT Domain 4 = SDI 5 = Internal 6 = RADIUS with Expiry 7 = Kerberos/Active Directory
IPSec-Auth-On-Rekey	Y	Y	30	Boolean	Single	0 = Disabled 1 = Enabled
IPSec-Backup-Server-List	Y	Y	43	String	Single	Server Addresses (space delimited)
IPSec-Backup-Servers	Y	Y	42	String	Single	1 = Use Client-Configured list 2 = Disabled and clear client list 3 = Use Backup Server list
IPSec-Banner1	Y	Y	11	String	Single	Banner string
IPSec-Banner2	Y	Y	24	String	Single	Banner string
IPSec-Client-Firewall-Filter- Name			40	String	Single	Specifies the name of the filter to be pushed to the client as firewall policy.
IPSec-Client-Firewall-Filter- Optional	Y	Y	41	Integer	Single	0 = Required 1 = Optional
IPSec-Default-Domain	Y	Y	17	String	Single	Specifies the single default domain name to send to the client (1 - 255 characters).
IPSec-IKE-Peer-ID-Check	Y	Y	28	Integer	Single	1 = Required 2 = If supported by peer certificate 3 = Do not check
IPSec-IP-Compression	Y	Y	27	Integer	Single	0 = Disabled 1 = Enabled
IPSec-Mode-Config	Y	Y	20	Boolean	Single	0 = Disabled 1 = Enabled
IPSec-Over-UDP	Y	Y	22	Boolean	Single	0 = Disabled 1 = Enabled
IPSec-Over-UDP-Port	Y	Y	23	Integer	Single	4001 - 49151; default = 10000
IPSec-Required-Client-Firewall-Capability	Y	Y	39	Integer	Single	0 = None 1 = Policy defined by remote FW Are-You-There (AYT) 2 = Policy pushed CPP 4 = Policy from server
IPSec-Sec-Association			9	String	Single	Name of the security association
IPSec-Split-DNS-Names	Y	Y	18	String	Single	Specifies the list of secondary domain names to send to the client (1 - 255 characters).
IPSec-Split-Tunneling-Policy	Y	Y	38	Integer	Single	0 = Tunnel everything 1 = Split tunneling 2 = Local LAN permitted
IPSec-Split-Tunnel-List	Y	Y	16	String	Single	Specifies the name of the network or access list that describes the split tunnel inclusion list.
IPSec-Tunnel-Type	Y	Y	19	Integer	Single	1 = LAN-to-LAN 2 = Remote access
IPSec-User-Group-Lock			21	Boolean	Single	0 = Disabled 1 = Enabled
L2TP-Encryption			15	Integer	Single	Bitmap: 1 = Encryption required 2 = 40 bit 4 = 128 bits 8 = Stateless-Req 15 = 40/128-Encr/Stateless-Req
L2TP-MPPC-Compression			26	Integer	Single	0 = Disabled 1 = Enabled
LDAP-Base-DN
LDAP-CRL-Data
LDAP-Filter
LDAP-Host-Name
LDAP-Host-Port
LDAP-Login
LDAP-Password
LDAP-Request-Type
LDAP-Scope
LDAP-Version
MS-Client-Subnet-Mask	Y	Y	45	String	Single	An IP address
PFS-Required	Y	Y	95	Boolean	Single	0 = No 1 = Yes
Port-Forwarding-Name	Y		60	String	Single	Name string (for example, "Corporate-Apps")
PPTP-Encryption			14	Integer	Single	Bitmap: 1 = Encryption required 2 = 40 bits 4 = 128 bits 8 = Stateless-Required Example: 15 = 40/128-Encr/Stateless-Req
PPTP-MPPC-Compression			25	Integer	Single	0 = Disabled 1 = Enabled
Primary-DNS	Y	Y	3	String	Single	An IP address
Primary-WINS	Y	Y	5	String	Single	An IP address
Privilege-Level
Required-Client- Firewall-Vendor-Code	Y	Y	31	Integer	Single	1 = Cisco Systems (with Cisco Integrated Client) 2 = Zone Labs 3 = NetworkICE 4 = Sygate 5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)
Required-Client-Firewall- Description	Y	Y	33	String	Single	String
Required-Client-Firewall- Product-Code	Y	Y	32	Integer	Single	Cisco Systems Products: 1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC) Zone Labs Products: 1 = Zone Alarm 2 = Zone AlarmPro 3 = Zone Labs Integrity NetworkICE Product: 1 = BlackIce Defender/Agent Sygate Products: 1 = Personal Firewall 2 = Personal Firewall Pro 3 = Security Agent
Require-HW-Client-Auth	Y	Y	35	Boolean	Single	0 = Disabled 1 = Enabled
Require-Individual-User-Auth	Y	Y	34	Integer	Single	0 = Disabled 1 = Enabled
Secondary-DNS	Y	Y	4	String	Single	An IP address
Secondary-WINS	Y	Y	6	String	Single	An IP address
SEP-Card-Assignment			7	Integer	Single	Not used
Simultaneous-Logins	Y	Y	2	Integer	Single	0-2147483647
Strip-Realm	Y	Y	47	Boolean	Single	0 = Disabled 1 = Enabled
TACACS-Authtype
TACACS-Privilege-Level
Tunnel-Group-Lock	Y	Y	92	String	Single	Name of the tunnel group or "none"
Tunneling-Protocols	Y	Y	8	Integer	Single	1 = PPTP 2 = L2TP 4 = IPSec 8 = L2TP/IPSec 16 = Clientless SSL VPN. 8 and 4 are mutually exclusive (0 - 11, 16 - 27 are legal values)
Use-Client-Address			13	Boolean	Single	0 = Disabled 1 = Enabled
User-Auth-Server-Name			49	String	Single	IP address or hostname
User-Auth-Server-Port			50	Integer	Single	Port number for server protocol
User-Auth-Server-Secret			51	String	Single	Server password
WebVPN-ACL-Filters	Y		72	String	Single	Access-List name
WebVPN-Apply-ACL-Enable	Y		84	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Citrix-Support-Enable	Y		83	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Content-Filter- Parameters	Y		56	Integer	Single	1 = Java & ActiveX 2 = Java scripts 4 = Images 8 = Cookies in images Add the values to filter multiple parameters. For example: enter 10 to filter both Java scripts and cookies. (10 = 2 + 8)
WebVPN-Enable-functions			57	Integer	Single	Not used - deprecated
WebVPN-Exchange-Server- Address			58	String	Single	Not used - deprecated
WebVPN-Exchange-Server- NETBIOS-Name			59	String	Single	Not used - deprecated
WebVPN-File-Access-Enable	Y		76	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-File-Server-Browsing-Enable	Y		78	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-File-Server-Entry- Enable	Y		77	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Forwarded-Ports	Y		71	String	Single	Port-Forward list name
WebVPN-Homepage	Y		73	String	Single	A URL such as http://example-portal.com.
WebVPN-Macro-Substitution-Value1
WebVPN-Macro-Substitution-Value2
WebVPN-Port-Forwarding- Auto-Download-Enable	Y		82	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Port-Forwarding- Enable	Y		79	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Port-Forwarding- Exchange-Proxy-Enable	Y		80	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Port-Forwarding- HTTP-Proxy-Enable	Y		81	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Port-Forwarding-Enable
WebVPN-Port-Forwarding-Exchange-Proxy-Enable
WebVPN-Port-Forwarding-HTTP-Proxy-Enable
WebVPN-Port-Forwarding-Name
WebVPN-Single-Sign-On- Server-Name	Y		74	String	Single	Name of the SSO Server (1 - 31 characters).
WebVPN-SVC-Client-DPD	Y		97	Integer	Single	0 = Disabled n = Dead Peer Detection value in seconds (30 - 3600)
WebVPN-SVC-Compression	Y		101	Integer	Single	0 = None 1 = Deflate Compression
WebVPN-SVC-Enable	Y		85	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-SVC-Gateway-DPD	Y		98	Integer	Single	0 = Disabled n = Dead Peer Detection value in seconds (30 - 3600)
WebVPN-SVC-Keepalive	Y		96	Integer	Single	0 = Disabled n = Keepalive value in seconds (15 - 600)
WebVPN-SVC-Keep-Enable	Y		87	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-SVC-Rekey-Method	Y		100	Integer	Single	0 = None 1 = SSL 2 = New tunnel 3 = Any (sets to SSL)
WebVPN-SVC-Rekey-Period	Y		99	Integer	Single	0 = Disabled n = Retry period in minutes (4 - 10080)
WebVPN-SVC-Required-Enable	Y		86	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Unix-GID
WebVPN-Unix-UID
WebVPN-URL-Entry-Enable	Y		75	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-URL-List	Y		70	String	Single	URL-list name
X509-Cert-Data

1 To get the complete Object Identifier of each attribute, append the number in the column to the end of 1.2.840.113556.8000.795.2. Thus, the OID of the first attribute in the table, Access-Hours, is 1.2.840.113556.8000.795.2.1. Likewise, the OID of the last attribute in the table, WebVPN-SVC-Compression, is 1.2.840.113556.8000.795.2.115.

Cisco-AV-Pair Attribute Syntax

The syntax of each Cisco-AV-Pair rule is as follows:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination 
Wildcard Mask] [Established] [Log] [Operator] [Port]

Table E-3 describes the syntax rules.

Table E-3 AV-Pair Attribute Syntax Rules

Field	Description
Prefix	A unique identifier for the AV pair. For example: ip:inacl#1= (used for standard access lists) or webvpn:inacl# (used for clientless SSL VPN access lists). This field only appears when the filter has been sent as an AV pair.
Action	Action to perform if rule matches: deny, permit.
Protocol	Number or name of an IP protocol. Either an integer in the range 0 - 255 or one of the following keywords: icmp, igmp, ip, tcp, udp.
Source	Network or host that sends the packet. It is specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.
Source Wildcard Mask	The wildcard mask applied to the source address.
Destination	Network or host that receives the packet. It is specified as an IP address, a hostname, or the keyword "any." If specified as an IP address, the source wildcard mask must follow.
Destination Wildcard Mask	The wildcard mask applied to the destination address.
Log	Generates a FILTER log message. You must use this keyword to generate events of severity level 9.
Operator	Logic operators: greater than, less than, equal to, not equal to.
Port	The number of a TCP or UDP port in the range 0 - 65535.

For example:

ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log 

ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log 

webvpn:inacl#1=permit url http://www.website.com

webvpn:inacl#2=deny smtp any host 10.1.3.5

webvpn:inacl#3=permit url cifs://mar_server/peopleshare1

---

Note Use Cisco-AV pair entries with the ip:inacl# prefix to enforce access lists for remote IPSec and SSL VPN Client (SVC) tunnels.

Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce access lists for clientless SSL (browser-mode) tunnels.

---

Table E-4 lists the tokens for the Cisco-AV-pair attribute:

Table E-4 Security Appliance-Supported Tokens

Token		Syntax Field	Description
ip:inacl#Num=		N/A (Identifier)	(Where Num is a unique integer.) Starts all AV pair access control lists. Enforces access lists for remote IPSec and SSL VPN (SVC) tunnels.
webvpn:inacl#Num=		N/A (Identifier)	(Where Num is a unique integer.) Starts all clientless SSL AV pair access control lists. Enforces access lists for clientless SSL (browser-mode) tunnels.
deny		Action	Denies action. (Default)
permit		Action	Allows action.
icmp		Protocol	Internet Control Message Protocol (ICMP)
1		Protocol	Internet Control Message Protocol (ICMP)
IP		Protocol	Internet Protocol (IP)
0		Protocol	Internet Protocol (IP)
TCP		Protocol	Transmission Control Protocol (TCP)
6		Protocol	Transmission Control Protocol (TCP)
UDP		Protocol	User Datagram Protocol (UDP)
17		Protocol	User Datagram Protocol (UDP)
any		Hostname	Rule applies to any host.
host		Hostname	Any alpha-numeric string that denotes a hostname.
log		Log	When the event is hit, a filter log message appears. (Same as permit and log or deny and log.)
lt		Operator	Less than value
gt		Operator	Greater than value
eq		Operator	Equal to value
neq		Operator	Not equal to value
range		Operator	Inclusive range. Should be followed by two values.

Example Security Appliance Authorization Schema

This section provides a sample of an LDAP schema. This schema supports the security appliance class and attributes. It is specific to the Microsoft Active Directory LDAP server. Use it as a model, with Table E-2, to define your own schema for your own LDAP server.

Schema 3k_schema.ldif

dn: CN=Access-Hours,CN=Schema,CN=Configuration,OU=People,DC=ExampleCorporation,DC=com 

changetype: add

adminDisplayName: Access-Hours

attributeID: 1.2.840.113556.1.8000.795.2.1

attributeSyntax: 2.5.5.3

cn: Access-Hours

instanceType: 4

isSingleValued: TRUE

lDAPDisplayName: Access-Hours

distinguishedName: 

 CN=Access-Hours,CN=Schema,CN=Configuration,OU=People,DC=ExampleCorporation,DC=com 

objectCategory: 

 CN=Attribute-Schema,CN=Schema,CN=Configuration,OU=People,DC=ExampleCorporation,DC=com 

objectClass: attributeSchema

oMSyntax: 27

name: Access-Hours

showInAdvancedViewOnly: TRUE

.....

.... (define subsequent security appliance authorization attributes here)

....

dn: CN=Primary-DNS,CN=Schema,CN=Configuration,OU=People,DC=ExampleCorporation,DC=com 

changetype: add

adminDisplayName: Primary-DNS

attributeID: 1.2.840.113556.1.8000.795.2.3

attributeSyntax: 2.5.5.3

cn: Primary-DNS

instanceType: 4

isSingleValued: TRUE

lDAPDisplayName: Primary-DNS

distinguishedName: 

 CN=Primary-DNS,CN=Schema,CN=Configuration,OU=People,DC=ExampleCorporation,DC=com 

objectCategory: 

 CN=Attribute-Schema,CN=Schema,CN=Configuration,OU=People,DC=ExampleCorporation,DC=com 

objectClass: attributeSchema

oMSyntax: 27

name: Primary-DNS

showInAdvancedViewOnly: TRUE

.....

.... (define subsequent security appliance authorization attributes here)

....

dn: 
CN=Confidence-Interval,CN=Schema,CN=Configuration,OU=People,DC=ExampleCorporation,DC=com 

changetype: add

adminDisplayName: Confidence-Interval

attributeID: 1.2.840.113556.1.8000.795.2.52

attributeSyntax: 2.5.5.9

cn: Confidence-Interval

instanceType: 4

isSingleValued: TRUE