Cisco System Model: Classaaa:LdapGroupRule

Overview

Containers

Contained

Inheritance

Events

Faults

FSMs

Properties Summary

Properties Detail

Naming

Class aaa:LdapGroupRule (CONCRETE)

Class ID:1010
Encrypted: false - Exportable: true - Persistent: true
Privileges: [aaa, admin]
SNMP OID: .1.3.6.1.4.1.9.9.719.1.1.13

This MO is the end point for all Ldap Group related configuration. When contained under LdapEp, this represents the global configuration. When contained under LdapProvider, this represents per server configuration

Naming Rules
RN FORMAT: ldapgroup-rule [1] PREFIX=ldapgroup-rule DN FORMAT: [0] sys/ldap-ext/ldapgroup-rule [1] sys/ldap-ext/provider-[name]/ldapgroup-rule

Containers Hierarchies

top:Root This class represents the root element in the object hierarchy. All managed objects in the system are descendants of the Root element.

├	top:System Provides general information about this system, such as the name, IP address and current time.

top:Root This class represents the root element in the object hierarchy. All managed objects in the system are descendants of the Root element.

├	top:System Provides general information about this system, such as the name, IP address and current time.

Contained Hierarchy

aaa:LdapGroupRule

Inheritance

policy:Item The base class for all objects contained by policy:Definition. Though no containment rules are specified here, by convention policy:Item must be contained by either policy:Definition or another policy:Item.

Events

Faults

Fsms

Properties Summary

Defined in: aaa:LdapGroupRule
aaa:LdapGroupAuthorization scalar:Enum8	authorization (aaa:LdapGroupRule:authorization) Config property indicating whether Ldap groups will be used for authorization
aaa:LdapAttribute string:Basic	targetAttr (aaa:LdapGroupRule:targetAttr) This property names the attribute to be downloaded which has user's group membership information Note that default value is given is applicable to LdapEp and LdapProvider also. Hence provider level attribute will always be non empty. User has to set it to empty to ensure Global value is used
aaa:LdapGroupTraversal scalar:Enum8	traversal (aaa:LdapGroupRule:traversal) Config property indicating whether to recursively traverse Ldap groups of user and download the container groups
scalar:Bool	usePrimaryGroup (aaa:LdapGroupRule:usePrimaryGroup) This property holds the info that decides whether to query for primary group or not. We need this flag because, retri- eving primary group requires additional ldap query.

Defined in: aaa:Item
naming:Descr string:Basic	descr (aaa:Item:descr) NO COMMENTS
naming:Name string:Basic	name (aaa:Item:name) NO COMMENTS

Defined in: mo:TopProps
mo:ModificationChildAction scalar:Bitmask32	childAction (mo:TopProps:childAction)
reference:Object	dn (mo:TopProps:dn) The Distinguished Name (dn) unambiguously identifies an object in the system. The dn provides a fully qualified path from the top of the object tree, all the way to the object. It is built as a sequence of relative names separated by the "/" character. For example: < ... dn = "sys/chassis-5/blade-2/adaptor-1" />
reference:RN	rn (mo:TopProps:rn) The Relative Name (rn) uniquely identifies an object within a given context. Note that a dn is comprised of a sequence of relative names. For example, the context "sys/chassis-1/blade-1/adaptor-1/host-eth-2" can be thought of as the following expression: dn = <root object>/{rn}/{rn}/{rn}/{rn}/{rn}. The rn can then be used to identify the object (for instance, "adaptor-1") within the context: <... rn ="../" />
mo:InstSaclType scalar:Bitmask8	sacl (mo:TopProps:sacl) The system acl property for each Managed Object. br/> This property is a 8 bit mask and supports the following values :- a: del b: mod c: addchild d: cascade By default all Managed Objects have the following permissions a: del b: mod c: addchild This property is persisted in the db. If this property has a value none it means, the user has read only permissions on this object.
mo:ModificationStatus scalar:Bitmask32	status (mo:TopProps:status) This property controls the life cycle of a managed object

Properties Detail

authorization

Type: aaa:LdapGroupAuthorization
Primitive Type: scalar:Enum8

Units: null

Encrypted: false

Access: admin

Category: TopLevelRegular

Property Validators:

Comments:

Config property indicating whether Ldap groups will be used for authorization

Constants
disable	0	NO COMMENTS
enable	1	NO COMMENTS
DEFAULT	disable(0)	NO COMMENTS

childAction

Type: mo:ModificationChildAction
Primitive Type: scalar:Bitmask32

Units: null

Encrypted: false

Access: implicit

Category: TopLevelChildAction

Property Validators:

Comments:

Constants
deleteAll	16384u	NO COMMENTS
ignore	4096u	NO COMMENTS
deleteNonPresent	8192u	NO COMMENTS
DEFAULT	0	This type is used to

descr

Type: naming:Descr
Primitive Type: string:Basic

Like: naming:Described:descr

Units: null

Encrypted: false

Access: admin

Category: TopLevelRegular

Property Validators:
    Range:  min: "0"  max: "256"
        Allowed Chars:
            Regex: [a-zA-Z0-9\[\]!#$%()*+,-./:;@ _{|}˜?&]+

Comments:

NO COMMENTS

dn

Type: reference:Object

Units: null

Encrypted: false

Access: implicit

Category: TopLevelDn

Property Validators:

Comments:

The Distinguished Name (dn) unambiguously identifies an object in the system.
The dn provides a fully qualified path from the top of the object tree, all the way to the object. It is built as a sequence of relative names separated by the "/" character.
For example:
< ... dn = "sys/chassis-5/blade-2/adaptor-1" />

name

Type: naming:Name
Primitive Type: string:Basic

Like: naming:Named:name

Units: null

Encrypted: false

Access: admin

Category: TopLevelRegular

Property Validators:
    Range:  min: "0"  max: "16"
        Allowed Chars:
            Regex: [a-zA-Z0-9_.:-]+

Comments:

NO COMMENTS

rn

Type: reference:RN

Units: null

Encrypted: false

Access: implicit

Category: TopLevelRn

Property Validators:

Comments:

The Relative Name (rn) uniquely identifies an object within a given context.
Note that a dn is comprised of a sequence of relative names. For example, the context "sys/chassis-1/blade-1/adaptor-1/host-eth-2" can be thought of as the following expression:
dn = <root object>/{rn}/{rn}/{rn}/{rn}/{rn}.
The rn can then be used to identify the object (for instance, "adaptor-1") within the context:
<... rn ="../" />

sacl

Type: mo:InstSaclType
Primitive Type: scalar:Bitmask8

Units: null

Encrypted: false

Access: implicit

Category: TopLevelSacl

Property Validators:

Comments:

The system acl property for each Managed Object. br/> This property is a 8 bit mask and supports the following values :-
a: del
b: mod
c: addchild
d: cascade

By default all Managed Objects have the following permissions
a: del
b: mod
c: addchild
This property is persisted in the db. If this property has a value none
it means, the user has read only permissions on this object.

Constants
none	0	NO COMMENTS
del	1	NO COMMENTS
mod	2	NO COMMENTS
addchild	4	NO COMMENTS
cascade	8	NO COMMENTS
DEFAULT	0	NO COMMENTS

status

Type: mo:ModificationStatus
Primitive Type: scalar:Bitmask32

Units: null

Encrypted: false

Access: implicit

Category: TopLevelStatus

Property Validators:

Comments:

This property controls the life cycle of a managed object

Constants
removed	16u	In a setter method: specifies that an object should be removed. In the return value of a setter method: indicates that an object has been removed.
created	2u	In a setter method: specifies that an object should be created. An error is returned if the object already exists. In the return value of a setter method: indicates that an object has been created.
modified	4u	In a setter method: specifies that an object should be modified In the return value of a setter method: indicates that an object has been modified.
deleted	8u	In a setter method: specifies that an object should be deleted. In the return value of a setter method: indicates that an object has been deleted.
DEFAULT	0	This type controls the life cycle of objects passed in the XML API. When used in a setter method (such as configConfMo), the ModificationStatus specifies whether an object should be created, modified, deleted or removed. In the return value of a setter method, the ModificationStatus indicates the actual operation that was performed. For example, the ModificationStatus is set to "created" if the object was created. The ModificationStatus is not set if the object was neither created, modified, deleted or removed. When invoking a setter method, the ModificationStatus is optional: If a setter method such as configConfMo is invoked and the ModificationStatus is not set, the system automatically determines if the object should be created or modified.

targetAttr

Type: aaa:LdapAttribute
Primitive Type: string:Basic

Units: null

Encrypted: false

Access: admin

Category: TopLevelRegular

Property Validators:
    Range:  min: "0"  max: "63"

Comments:

This property names the attribute to be downloaded which has user's group membership information Note that default value is given is applicable to LdapEp and LdapProvider also. Hence provider level attribute will always be non empty. User has to set it to empty to ensure Global value is used

Constants
defaultValue	"memberOf"	NO COMMENTS

traversal

Type: aaa:LdapGroupTraversal
Primitive Type: scalar:Enum8

Units: null

Encrypted: false

Access: admin

Category: TopLevelRegular

Property Validators:

Comments:

Config property indicating whether to recursively traverse Ldap groups of user and download the container groups

Constants
non-recursive	0	NO COMMENTS
recursive	1	NO COMMENTS
DEFAULT	non-recursive(0)	NO COMMENTS

usePrimaryGroup

Type: scalar:Bool

Units: null

Encrypted: false

Access: admin

Category: TopLevelRegular

Property Validators:

Comments:

This property holds the info that decides whether to query for primary group or not. We need this flag because, retri- eving primary group requires additional ldap query.