Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances
131132133134135136137138139140
134 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide
Table 61:
AD/LDAP Default Filters Explained
Directory Default Filters
Active
Directory
l Authentication: This is the filter used for authentication. The query searches in objectClass of type
user
. This query finds both user and machine accounts in Active Directory:
(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))
When a request arrives, Policy Manager populates
%{Authentication:Username}
with the
authenticating user or machine. This filter is also set up to fetch the following attributes based on
this filter query:
n dn (aliased to UserDN): This is an internal attribute that is populated with the user or machine
record’s Distinguished Name (DN)
n department
n title
n company
n memberOf: In Active Directory, this attribute is populated with the groups that the user or
machine belongs to. This is a multi-valued attribute.
n telephoneNumber
n mail
n displayName
l Group: This is filter used for retrieving the name of the groups a user or machine belongs to.
(distinguishedName=%{memberOf})
This query fetches all group records, where the distinguished name is the value returned by the
memberOf variable. The values for the memberOf attribute are fetched by the first filter
(Authentication) described above. The attribute fetched with this filter query is cn, which is the
name of the group
l Machine: This query fetches the machine record in Active Directory.
(&(objectClass=computer)(sAMAccountName=%{Host:Name}$))
%{Host:Name} is populated by Policy Manager with name of the connecting host (if available).
dNSHostName, operatingSystem and operatingSystemServicePack attributes are fetched with this
filter query.
l Onboard Device Owner: This is the filter for retrieving the name of the owner the onboard device
belongs to. This query finds the user in the ACtive Directory.
(&(sAMAccountName=%{Onboard:Owner})(objectClass=user))
%{Onboard:Owner} is populated by Policy Manager with the name of the onboarded user.
l Onboard Device Owner Group: This filter is used for retrieving the name of the group the
onboarded device owner belongs to.
(distinguishedName=%{Onboard memberOf})
This query fetches all group records where the distinguished name is the value returned by the
Onboard memberOf variable. The attribute fetched with this filter query is cn, which is the name of
the Onboard group
Generic
LDAP
Directory
Authentication: This is the filter used for authentication.
(&(objectClass=*)(uid=%{Authentication:Username}))
When a request arrives, Policy Manager populates %{Authentication:Username} with the
authenticating user or machine. This filter is also set up to fetch the following attributes based on
this filter query:
n dn (aliased to UserDN): This is an internal attribute that is populated with the user record’s
Distinguished Name (DN)
Group: This is filter used for retrieving the name of the groups a user belongs to.
(&(objectClass=groupOfNames)(member=%{UserDn}))
n This query fetches all group records (of objectClass groupOfNames), where member field
contains the DN of the user record (UserDN, which is populated after the Authentication filter
query is executed. The attribute fetched with this filter query is cn, which is the name of the
group (this is aliased to a more readable name: groupName)