User guide
CHAPTER 4: ADMINISTRATIVE FUNCTIONS 57
Returning User Group Information via LDAP
When an LDAP authentication attempt succeeds, Dominion KX determines the permissions for a given
user based on the permissions of the user’s group. Your remote LDAP server can provide these user group
names by returning an attribute named as follows:
rciusergroup attribute type: string
This may require a schema extension on your LDAP server. Please consult your authentication server
administrator to enable this attribute.
Returning User Group Information from Microsoft Active Directory
Returning user group information from Microsoft’s Active Directory for Windows 2000 Server requires
updating the LDAP schema. This should be attempted only by an experienced Active Directory
administrator. Please refer to your Microsoft documentation for more detail.
To Begin
• Install the schema plug-in for Active Directory – please refer to Microsoft Active Directory
documentation for instructions.
• Run Active Directory Console and select Directory Schema.
Setting the Registry to Permit Write Operations to the Schema
To allow a domain controller to write to the schema, you must set a registry entry that permits schema
updates.
Setting the Registry Key
1. Right-click the Active Directory Schema root node in the left pane of the window, and then click
Operations Master.
2. Click on the check box before The Schema may be modified on this Domain Controller. .
3. Click [OK].
Creating a New Attribute
To create new attributes for the rciusergroup class:
1. Click the [+] symbol before Active Directory Schema in the left pane of the window.
2. Right-click Attributes in the left pane.
3. Click New, and then select Attribute. When the warning message appears, click [Continue] and the
Create New Attribute window appears.
Figure 56 Creating a New Attribute