Manual Chapter : About AD Query
Applies To:Show Versions
- 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
About AD Query
An AD Query action performs a query against an AAA Active Directory server. An AD Query action provides these configuration elements and options:
- Specifies Query, the type of this Active Directory action.
- Specifies an Active Directory server; servers are defined in thearea of the Configuration utility.
- Specifies the search criteria to use when querying the Active Directory server for the user's information. Session variables are supported as part of the search query string.
- Fetch Primary Group
- Specifies whether to retrieve a user's primary group Distinguished Name for use in the access policy.
- Cross Domain Support
- Specifies whether AD cross domain authentication support is enabled for this action.
- Fetch Nested Groups
- When disabled, associates the user only to the groups to which they belong directly. When enabled, associates the user to all groups that are nested under the groups that they directly belong to. For example, if the user belongs to Group 1 and Group 2, and Group1 is a member of Group 3 and Group 4, enabling this setting allows the user to obtain privileges from all groups.
- Complexity check for Password Reset
- Specifies whether Access Policy Manager (APM) performs a password policy check. APM supports these Active Directory password policies:
Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password.
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
- Show Extended Error
- When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
- Max Password Reset Attempts Allowed
- Specifies the number of times that APM allows the user to try to reset password.
- Prompt user to change password before expiration
- Specifies whether to warn the user at a set time before the password expires and provide the option to change the password.
- Required Attributes (optional)
- By default, the server loads all user attributes if no required attributes are specified. However, system performance can improve if fewer attributes are returned. Click theAdd New Entrybutton to add a new attribute to the Active Directory query action.