Manualshelf

HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide

ManualsBrandsHP ManualsComputer AccessoriesHP IMC TACACS+ Authentication Manager Software Module Additional 50-node QTY E-LTU
919293949596979899100
87
User Authorization PolicySelect an existing authorization policy, or CLI Access Not Supported
from the list. If you select a specific authorization policy, the device users are controlled by the
policy. If you select CLI Access Not Supported, the device users can log in to the device but
cannot execute any command. If you leave this field empty, the device users use the
authorization policy assigned to the device user group to which the user belongs. If you assign
different authorization policies to a device user and the device user group the user belongs to,
the policy configured for the device users takes effect. This parameter cannot be synchronized
from the LDAP server.
7. Click OK.
Modifying an LDAP synchronization policy
To modify an LDAP synchronization policy:
1. Click the Service tab.
2. Select TACACS+ AuthN Manager > LDAP Service > Sync Policies from the navigation tree.
The Sync Policy List displays all LDAP synchronization policies.
3. Click the Modify icon for the LDAP synchronization policy you want to modify.
The page for modifying the LDAP synchronization policy appears.
4. Modify basic information for the synchronization policy:
Policy NameEnter the synchronization policy name, which must be unique in TAM.
Server NameSelect the LDAP server to which you want to assign the policy. Options include
all LDAP servers that have been configured in TAM.
Base DNCannot be modified.
Sub-Base DNEnter the absolute path of the subdirectory that stores user data on the LDAP
server and make sure it is in the base DN directory or be the same as the base DN directory.
TAM synchronizes the user data under sub-base DN rather than base DN. The DNs attributes
vary with LDAP servers. To get the correct sub-base DN path, use tools such as Softerra LDAP
Administrator.
Filter ConditionEnter a filter to match user data you want to synchronize to the TAM. The most
basic filter takes the form (attribute=value), where you can use the wildcard asterisk (*) in the
value pattern to match any character or character string. For example, the filter (cn=He*)
matches any entry that has a cn attribute value that starts with He.
You may also use a complex filter in the form (operator(attribute1=value)(attribute2=value)) or
(operator(attribute1=value)(operator(attribute2=value))) for advanced filtering. The operator
can be & (AND), | (OR), or ! (NOT). For example, the filter (&(objectclass=a*)(!(cn=b*)))
enables the TAM to synchronize any entry that has an objectclass attribute value starting with
a and a cn attribute value not starting with b.
The default filter varies with LDAP server type. If the server type is Microsoft AD, the default filter
is (&(objectclass=user)(sAMAccountName=*)). If the server type is General, the default filter is
(&(objectclass=*)(cn=*)).
Sync Options-Auto synchronizationSelect this option to execute the policy every day to
synchronize all matching users to TAM. The automatic execution time depends on the system
parameter LDAP Synchronization Time. For more information configuring system parameters,
see "Configuring system parameters."
Sync Options-On-Demand SyncSelect this option to have TAM synchronize a new
policy-matching user from the LDAP server only after the user passes authentication. This option