< Home

ldap-server authentication-filter

Function

The ldap-server authentication-filter command configures filtering parameters for the LDAP authentication server.

The undo ldap-server authentication-filter command restores the filtering parameter to the default value, that is, all users are allowed to be authenticated.

By default, the filtering parameter is set to objectclass=*, which indicates that all users are allowed to be authenticated.

Format

ldap-server authentication-filter authentication-filter-name

undo ldap-server authentication-filter

Parameters

Parameter Description Value
authentication-filter-name Specifies the filtering parameter of the LDAP server. The value is a string in the range from 1 to 256. When the string contains spaces, it must be quoted by double quotation marks ("").

Views

LDAP server template view

Default Level

3: Management level

Usage Guidelines

If authentication is performed only on users who match the filtering parameter, this parameter is required. After this parameter is specified, only the users who match the filtering parameter can be authenticated.

The value of the filtering parameter is specified based on the actual organizational structure on the server.

For the AD LDAP server, if the server domain name is test1.com and ou=users has two security groups: a and b.
  • To allow all users in security group a to be authenticated, set the filtering parameter to (memberof=cn=a,ou=users,dc=test1,dc=com).
  • To allow all users in security group a or b to be authenticated, set the filtering parameter to (|(memberof=cn=a,ou=users,dc=test1,dc=com)(memberof=cn=b,ou=users,dc=test1,dc=com)).
  • To allow the users who belong to both security groups a and b to be authenticated, set the filtering parameter to (&(memberof=cn=a,ou=users,dc=test1,dc=com)(memberof=cn=b,ou=users,dc=test1,dc=com)).
For the Sun ONE LDAP server, if there are two email addresses (user-1@huawei.com and user-2@huawei.com):
  • If you want the user with the email address user-1@huawei.com to be authenticated, set the value of the authentication filtering parameter to (mail=user-1@huawei.com).
  • If you want the user with the email address user-1@huawei.com or user-2@huawei.com to be authenticated, set the value of the authentication filtering parameter to (|(mail=user-1@huawei.com)(mail=user-2@huawei.com)).
For the Open LDAP server, if the server domain name is test2.com, user u1 belongs to ou=users1, and user u2 belongs to ou=users2:
  • To allow only user u1 to be authenticated, set the filtering parameter to (cn=cn=u1,ou=users1,dc=test2,dc=com).
  • To allow only both users to be authenticated, set the filtering parameter to (|(cn=cn=u1,ou=users1,dc=test2,dc=com)(cn=cn=u2,ou=users2,dc=test2,dc=com)).

Example

# The domain name of the AD LDAP server is test.com, and ou=users has two security groups: a and b. Allow all users in security group a to be authenticated.

<sysname> system-view
[sysname] ldap-server template temp1
[sysname-ldap-temp1] ldap-server authentication-filter (memberof=cn=a,ou=users,dc=test,dc=com)
Parent Topic: LDAP Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >