LDAP PIP

LDAP PIP

When we add or modify an LDAP policy information point (PIP), we configure a connection to an LDAP server. We also determine what information to use from the LDAP directory.
Connection properties

Name Identifies the policy information point instance. This name must be unique to the instance. Do not use a predefined Advanced Access Control policy information point issuer name. The name that we create is the issuer for any attributes the policy information point instance returns.

Description Describes the policy information point. (Optional)
Type Policy information point type, which is LDAP. (Read only)
LDAP Server Connection LDAP server from which to retrieve the attributes. Select one of the defined LDAP servers from the list. If the server we require is not available to select in the list, we must define it.

Attribute properties

Base DN Base DN of the directory server that determines where to search for attribute values. For example, we can specify o=Example_Organization,c=us.
Search filter Search filter for the attribute values we require. Any LDAP search filter is supported. For example, specify (|(objectclass=ePerson)(objectclass=Person)). We can also dynamically create the search using attribute values in a search at runtime. The attribute that We use must match the name field of that attribute. For example, (&(cn={username})(|(objectclass=ePerson)(objectclass=Person))).
Search timeout (seconds) Amount of time in seconds that is allowed for search operation before the LDAP server is considered to be down. The default is 120 seconds.
Attribute Attributes that are retrieved from a response and that can be used in a policy or risk score. Each attribute is mapped to an associated LDAP registry attribute. We can use one or more attributes, and we can add, modify, or delete attributes. The attributes that we add here must already be defined in the appliance local management interface. Do not delete an attribute used in a policy or risk score.

Selector Name of an LDAP registry attribute.

Cache Properties

Cache size Maximum number of entries to keep in the cache
Cache entry lifetime Lifetime of cache entries, in seconds.

Parent topic: Policy information points

Name	Identifies the policy information point instance. This name must be unique to the instance. Do not use a predefined Advanced Access Control policy information point issuer name. The name that we create is the issuer for any attributes the policy information point instance returns.
Description	Describes the policy information point. (Optional)
Type	Policy information point type, which is LDAP. (Read only)
LDAP Server Connection	LDAP server from which to retrieve the attributes. Select one of the defined LDAP servers from the list. If the server we require is not available to select in the list, we must define it.

Base DN	Base DN of the directory server that determines where to search for attribute values. For example, we can specify o=Example_Organization,c=us.
Search filter	Search filter for the attribute values we require. Any LDAP search filter is supported. For example, specify (\|(objectclass=ePerson)(objectclass=Person)). We can also dynamically create the search using attribute values in a search at runtime. The attribute that We use must match the name field of that attribute. For example, (&(cn={username})(\|(objectclass=ePerson)(objectclass=Person))).
Search timeout (seconds)	Amount of time in seconds that is allowed for search operation before the LDAP server is considered to be down. The default is 120 seconds.
Attribute	Attributes that are retrieved from a response and that can be used in a policy or risk score. Each attribute is mapped to an associated LDAP registry attribute. We can use one or more attributes, and we can add, modify, or delete attributes. The attributes that we add here must already be defined in the appliance local management interface. Do not delete an attribute used in a policy or risk score.
Selector	Name of an LDAP registry attribute.

Cache size	Maximum number of entries to keep in the cache
Cache entry lifetime	Lifetime of cache entries, in seconds.