LDAP PIP
When you add or modify an LDAP policy information point (PIP), you configure a connection to an LDAP server. You also determine what information to use from the LDAP directory.
Connection properties
- Name
- Identifies the policy information point instance. This name must be unique to the instance. Do
not use a predefined Advanced Access Control policy information point issuer name.
The name that you create is the issuer for any attributes that the policy information point instance returns.
- Description
- Describes the policy information point. (Optional)
- Type
- Specifies the policy information point type, which is LDAP. (Read only)
- Server Connection
- Specifies the LDAP server from which to retrieve the attributes. Select one of the defined LDAP servers from the list. If the server you require is not available to select in the list, you must define it. See Managing server connections.
Attribute properties
- Base DN
- Specifies the base DN of the directory server that determines where to search for attribute values. For example, you can specify o=Example_Organization,c=us.
- Search filter
- Specifies the search filter for the attribute values you require. Any LDAP search filter is supported. For example, specify (|(objectclass=ePerson)(objectclass=Person)). You can also dynamically create the search by using attribute values in a search at runtime. The attribute that you use must match the name field of that attribute. For example, (&(cn={username})(|(objectclass=ePerson)(objectclass=Person))).
- Search timeout (seconds)
- Specifies the amount of time in seconds that is allowed for search operation before the LDAP server is considered to be down. The default is 120 seconds.
- Attribute
- Specifies the attributes that are retrieved from a response and that can be used in a policy or
risk score. Each attribute is mapped to an associated LDAP registry attribute. You can use one or
more attributes, and you can add, modify, or delete attributes.
The attributes that you add here must already be defined in the appliance local management interface. See Managing attributes for information on adding an attribute.
Do not delete an attribute that is used in a policy or risk score.
- Selector
- Specifies the name of an LDAP registry attribute.
Cache Properties
- Cache size
- Specifies the maximum number of entries to keep in the cache
- Cache entry lifetime
- Specifies the lifetime of cache entries, in seconds.