Manual Chapter : About AD Query

Applies To:

Show Versions Show Versions


  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

About AD Query

An AD Query action performs a query against an AAA Active Directory server. An AD Query action provides these configuration elements and options:
Specifies Query, the type of this Active Directory action.
Specifies an Active Directory server; servers are defined in the
area of the Configuration utility.
Specifies the search criteria to use when querying the Active Directory server for the user's information. Session variables are supported as part of the search query string.
Fetch Primary Group
Specifies whether to retrieve a user's primary group Distinguished Name for use in the access policy.
Cross Domain Support
Specifies whether AD cross domain authentication support is enabled for this action.
Fetch Nested Groups
When disabled, associates the user only to the groups to which they belong directly. When enabled, associates the user to all groups that are nested under the groups that they directly belong to. For example, if the user belongs to Group 1 and Group 2, and Group1 is a member of Group 3 and Group 4, enabling this setting allows the user to obtain privileges from all groups.
Complexity check for Password Reset
Specifies whether Access Policy Manager (APM) performs a password policy check. APM supports these Active Directory password policies:
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
APM must retrieve all related password policies from the domain to make the appropriate checks on the new password.
Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.
Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password.
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Max Password Reset Attempts Allowed
Specifies the number of times that APM allows the user to try to reset password.
Prompt user to change password before expiration
Specifies whether to warn the user at a set time before the password expires and provide the option to change the password.
Required Attributes (optional)
By default, the server loads all user attributes if no required attributes are specified. However, system performance can improve if fewer attributes are returned. Click the
Add New Entry
button to add a new attribute to the Active Directory query action.