User Guide
OmniAccess SafeGuard OS Administration Guide
281
Chapter 6: Configuring Authentication and Role Derivation
(SafeGuardOS) (config) #
In this example, the role name is picked up and assigned from the value on the Active
Directory
department attribute if the entry is listed on the AD server and the domain
name has “corp” within the name.
(SafeGuardOS) (config) # aaa rule-map others
(SafeGuardOS) (rulemap) # description “the remainder of the company”
(SafeGuardOS) (rulemap) # operation and
(SafeGuardOS) (rulemap) # match ad.department exists
(SafeGuardOS) (rulemap) # match ad.domainName contains corp
(SafeGuardOS) (rulemap) # set system.roleName value-of ad.department
(SafeGuardOS) (rulemap) # end
(SafeGuardOS) (config) #
Configuring the Rule Map Attributes
The match statement describes what constitutes a match against the rule map. All match
attributes are string values that are identified in the system by an attribute class and an
attribute name. The notation for attributes is:
class.name.
NOTE: Match statements are not case sensitive.
Table 21 Match Attributes When Creating a Rule
Attribute Area Description
System
Attributes
System attributes are common system attributes that are available
for every authentication event.
DHCP
Attributes
DHCP attributes are learned from DHCP protocol exchange.
AD Attributes AD attributes are derived from an external LDAP server. Some
attributes contain multiple values, such as ad.memberOf.
Attributes with multiple values are separated by commas.
For more details, see Configuring Active Directory Servers on
page 255.
Note: The Distinguished Name (DN) is presented in AD canonical
format. For example: “cn=John Smith,cn=Users,dc=Auth,dc=dev”
would be translated to “auth.dev/Users/John Smith”.