User Accounts Query for Authenticating Administrative Users
To authenticate external users, AsyncOS uses a query to search for the user record in the LDAP directory and the attribute that contains the user’s full name. Depending on the server type you select, AsyncOS enters a default query and a default attribute. You can choose to have your appliance deny users with expired accounts if you have attributes defined in RFC 2307 in your LDAP user records (shadowLastChange, shadowMax, and shadowExpire). The base DN is required for the domain level where user records reside.
The following table shows the default query string and full user name attribute that AsyncOS uses when it searches for a user account on an Active Directory server.
|
Server Type |
Active Directory |
|---|---|
|
Base DN |
[blank] (You need to use a specific base DN to find the user records.) |
|
Query String |
(&(objectClass=user)(sAMAccountName={u})) |
|
Attribute containing the user’s full name |
displayName |
The following table shows the default query string and full user name attribute that AsyncOS uses when it searches for a user account on an OpenLDAP server.
|
Server Type |
OpenLDAP |
|---|---|
|
Base DN |
[blank] (You need to use a specific base DN to find the user records.) |
|
Query String |
(&(objectClass=posixAccount)(uid={u})) |
|
Attribute containing the user’s full name |
gecos |