LDAP Attribute Information
When configuring LDAP attributes, the following information could be helpful:
- If multiple attributes are defined for a group, all attributes must be met by LDAP users.
- LDAP authentication binds to the LDAP tree using the same credentials as are supplied for authentication. When used against Active Directory, this requires that the login credentials provided match the CN (common name) attribute of the user rather than SMAAccountName (login name). For example, if your Active Directory login name is gkam and your full name is guitar kam, when logging into the SMA appliance with LDAP authentication, the username should be provided in the following ways: If a login name is supplied, that name is used to bind to the tree. If the field is blank, you need to login with the full name. If the field is filled in with a full login name, login with the SMAAccountName.
- If no attributes are defined, then any user authorized by the LDAP server can be a member of the group.
- If multiple groups are defined and a user meets all the LDAP attributes for two groups, then the user is considered part of the group with the most LDAP attributes defined. If the matching LDAP groups have an equal number of attributes, then the user is considered a member of the group based on the alphabetical order of the groups.
- If an LDAP user fails to meet the LDAP attributes for all LDAP groups configured on the SMA appliance, then the user is not able to log in to the portal. So, the LDAP attributes feature not only allows the administrator to create individual rules based on the LDAP group or organization, it also allows the administrator to only allow certain LDAP users to log in to the portal.
Was This Article Helpful?
Help us to improve our support portal