security-group-filter
Function
The security-group-filter command configures the filtering conditions for importing security groups from an authentication server.
The undo security-group-filter command restores the default filtering conditions.
Parameters
| Parameter | Description | Value |
|---|---|---|
| security-group-filter | Specifies the filtering condition of a security group. The parameter is in regular expression. | If the filtering condition does not contain any space, its length ranges from 1 to 256. If the filtering condition contains spaces, its length ranges from 3 to 258, and you must enclose the parameter with double quotation marks (") and ensure that the filtering condition does not start or end with a space. The default value is recommended. |
Usage Guidelines
The device supports security group import from AD servers, AD LDAP servers, and Sun ONE LDAP servers, but not Open LDAP servers and IBM Tivoli LDAP servers. The server searches security groups based on the filtering condition. The security groups that match the filtering condition are imported to the device.
The default filtering condition for importing security groups from an AD or AD LDAP server is (&(objectclass=group)(|(grouptype=-2147483640)(grouptype=-2147483644)(grouptype=-2147483646))). Only the local domain security groups, global security groups, and general security groups on the AD or AD LDAP server are imported. The default filtering condition for importing security groups from a Sun ONE LDAP server is (&(objectclass=groupofuniquenames)(!(memberURL=*))). Only the static groups on the Sun ONE LDAP server are imported. You are advised to keep the default values.
When importing security groups from the Sun ONE LDAP server, the device imports the dynamic security groups by default. Therefore, the dynamic security groups should be excluded from the default filtering conditions to prevent repeated import.
Example
# Set the filtering condition of a security group to (&(objectclass=groupofurls)(memberURL=*)). Only the dynamic groups on the Sun ONE LDAP server are imported.
<sysname> system-view [sysname] user-manage import-policy policy1 from ldap [sysname-import-policy1] security-group-filter (&(objectclass=groupofurls)(memberURL=*))