Security / LDAP Server Configuration / Assigning Roles and AORs to Users on the LDAP Server
Assigning Roles and AORs to Users on the LDAP Server
If you use the LDAP server for authorization without groups, you must assign the roles and areas of responsibility (AORs) to each user on the LDAP server.
The users must already be added to the Active Directory (AD) on the LDAP server.
The NmRoles and NmAors attributes must already be defined in the AD.
Note: If you have more than just a few users, it is recommended that you perform authorization using LDAP groups. If you use groups, you do not need to perform this task, but you do need to have the groups created on the LDAP server. On SANnav, you must upload the groups and assign roles and AORs to the groups.
It is recommended that you back up your AD before performing the following steps.
1. On the LDAP server, open ADSI Edit.
a. Select Start > Run.
b. Type adsiedit.msc and press Enter.
2. Expand the ADSI Edit tree and the CN=Users directory.
3. Add the roles and AORs for each user.
a. Right-click the CN=user-name, and select Properties.
b. Select NmRoles in the Attributes list and click Edit.
c. Enter a comma-separated list of roles in the Value field and click OK.
Note: The role names must exactly match the roles defined in the SANnav local database.
d. Select NmAors in the Attributes list and click Edit.
e. Enter a comma-separated list of AORs in the Value field and click OK.
Note: The AOR names must exactly match the AORs defined in the SANnav local database.
For example, the following assigns the Security Administrator and Switch Maintenance roles to the selected user. The Switch Maintenance role is a custom role. All roles must be defined in the local SANnav database.
4. Close the ADSI Edit dialog box.