Chatta subito con l'assistenza
Chat con il supporto

One Identity Safeguard for Privileged Sessions 6.9.2 - YubiKey Multi-Factor Authentication - Overview

[whitelist source=ldap_server_group]

The [whitelist source=ldap_server_group] section allows whitelisting users based on LDAP Server group membership. To enable this whitelist, configure one of the use cases below.

NOTE: The user names and groups are compared in LDAP in a case-insensitive manner.

Declaration
[whitelist source=ldap_server_group]
allow=<no_user-or-all_users>
except=<group-1>,<group-2>
allow
Type: string (all_users | no_users)
Required: no
Default: N/A

Description: This parameter defines whether to allow all users or no user to connect without providing YubiKey credentials. Used together with the except parameter, you can define specific LDAP/AD group(s) that are exempt from this rule.

except
Type: string
Required: no
Default: N/A

Description: This parameter defines those specific LDAP/AD group(s) that are exempt from the rule defined by the allow parameter.

Use case #1: Allow no user except members of specific group(s)

To allow members of specific LDAP/AD group(s) to connect without providing YubiKey credentials, type the names of these LDAP/AD groups as values of the except parameter and set the allow parameter to no_user:

[whitelist source=ldap_server_group]
allow=<no_user>
except=<group-1>,<group-2>

You must configure the name of the LDAP Server policy in the [ldap_server] section.

Use case #2: Allow all users except members of specific group(s)

To enforce YubiKey authentication only on members of specific LDAP/AD group(s), type the names of these LDAP/AD groups as values of the except parameter and set the allow parameter to all_users:

[whitelist source=ldap_server_group]
allow=<all_users>
except=<group-1>,<group-2>

You must configure the name of the LDAP Server policy in the [ldap_server] section.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione