Users Configuration | 333Example of LDAP Users and AttributesIf a user is manually added to a LDAP group, then the user setting will take precedence overLDAP attributes.For example, an LDAP attribute objectClass= “ Person” is defined for group Group1 and anLDAP attribute memberOf=“CN=WINS Users,DC=sonicwall,DC=net ” is defined for Group2.If user Jane is defined by an LDAP server as a member of the Person object class, but is not amember of the WINS Users group, Jane will be a member of SRA appliance Group1.But if the administrator manually adds the user Jane to SRA appliance Group2, then the LDAPattributes will be ignored and Jane will be a member of Group2.Sample LDAP AttributesYou may enter up to four LDAP attributes per group. The following are some example LDAPattributes of Active Directory LDAP users:name="Administrator"memberOf="CN=Terminal Server Computers,CN=Users,DC=sonicwall,DC=net"objectClass="user"msNPAllowDialin="FALSE"Querying an LDAP ServerIf you would like to query your LDAP or Active Directory server to find out the LDAP attributesof your users, there are several different methods. From a machine with ldap search tools (forexample a Linux machine with OpenLDAP installed) run the following command:ldapsearch -h 10.0.0.5 -x -D"cn=demo,cn=users,dc=sonicwall,dc=net" -w demo123 –b"dc=sonicwall,dc=net" > /tmp/fileWhere:• 10.0.0.5 is the IP address of the LDAP or Active Directory server• cn=demo,cn=users,dc=sonicwall,dc=net is the distinguished name of an LDAP user• demo123 is the password for the user demo• dc=sonicwall,dc=net is the base domain that you are querying• > /tmp/file is optional and defines the file where the LDAP query results will be saved.For instructions on querying an LDAP server from a Window server, refer to:• www.microsoft.com/Resources/Documentation/ windowsserv/2003/all/techref/en-us/w2k3tr_adsrh_what.asp• http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_adsrh_how.asp?frame=trueGroup Configuration for Active Directory, NT and RADIUS DomainsFor authentication to RADIUS, Microsoft NT domain or Active Directory servers (usingKerberos), you can individually define AAA users and groups. This is not required, but itenables you to create separate policies or bookmarks for individual AAA users.