Filter
Top Products
User Management
1093
SonicOS 5.8.1 Administrator Guide
Step 19 The User group membership attribute field contains the information in the user object of
which groups it belongs to. This is memberOf in Microsoft Active Directory. The other
predefined schemas store group membership information in the group object rather than the
user object, and therefore do not use this field.
Step 20 In the Additional user group ID attribute field, enter the attribute that contains the user’s
primary group ID. This field is used to get primary user group information for user accounts, and
works together with the Additional user group match attibute option. To enable database
searches for the user group information, select the Use checkbox.
Windows has the concept of each user having
a primary user group, which is normally Domain
Users for domain users and Admin Users for administrators. However, an LDAP search for a
user’s group memberships does not include that primary group in the list returned from Active
Directory. Therefore, to allow setting rules and policies for the Domain Users or Admin Users
groups, the appliance also needs to retrieve a user’s primary user group with a separate LDAP
search.
An attribute must be used for the search, because in Active Directory the user’s primary group
is not set by name as other user group memberships are. Instead, it is set in the user object by
a primaryGroupID attribute that gives an ID number, that ID number being given in the user
group object by a primaryGroupToken attribute.
To allow these user groups to be used on the appliance for applying group policies, after
reading the user object with its user group memberships from LDAP, the appliance needs to
perform an additional search for a user group with a primaryGroupToken attribute matching the
user’s primaryGroupID attribute.
Use of these attributes is off by default, as there is additional time overhead in user group
searches. The Use checkbox must be enabled to search for a user’s primary user group.
Although this is primarily for attributes of Active Directory, it can operate with any schema to
allow a search for one additional user group by setting appropriate attribute values in the
Additional user group ID attribute and Additional user group match attribute fields. These
fields default to primaryGroupID and primaryGroupToken when Active Directory is selected.
Step 21 The Framed IP address attribute field can be used to retrieve a static IP address that is
assigned to a user in the directory. Currently it is only used for a user connecting using L2TP
with the SonicWALL security appliance L2TP server. In future releases, this may also be
supported for the SonicWALL Global VPN Client (GVC). In Active Director, the static IP address
is configured on the Dial-in tab of a user’s properties.
Step 22 The Object class field defines the type of entries that an LDAP directory may contain. A sample
object class, as used by AD, would be ‘user’ or ‘group’.
Step 23 The Member attribute field defines which attribute is used for login authentication.
Step 24 The Additional user group match attribute field defines the attribute that contains the user
group ID for the user. The Additional user group match attribute field works together with
the Additional user group ID attribute field. For more information about these fields, see Step
20 above.