VPN client authentication on ASA against Novell eDirectory (LDAP)

Unanswered Question
Oct 10th, 2007

Dear all,

since PIX 7 and ASA support user authentication thru LDAP, I am trying to configure my ASA to use a Novell eDirectory server for user authentication. My configuration is as follows:


aaa-server ldap-authen-grp protocol ldap

aaa-server ldap-authen-grp host

ldap-base-dn ou=IT,o=MyCompany

ldap-scope subtree

ldap-naming-attribute cn

ldap-login-password MyPasswd

ldap-login-dn cn=admin,ou=IT,o=MyCompany

ldap-over-ssl enable


Then I run following commands:

1. debug ldap 255 (turn on ldap debug)

2. test aaa-server authentication ldap-authen-grp host username testuser password testpasswd

And debug output is as follows:


INFO: Attempting Authentication test to IP address <> (timeout: 12 seconds)

[416] Session Start

[416] New request Session, context 0x3c194ec, reqType = 1

[416] Fiber started

[416] Creating LDAP context with uri=ldaps://

[416] Connect to LDAP server: ldaps://, status = Successful

[416] LDAP Search:

Base DN = [ou=IT,o=MyCompany]

Filter = [cn=testuser]

Scope = [SUBTREE]

[416] User DN = [cn=testuser,ou=IT,o=MyCompany]

[416] supportedLDAPVersion: value = 2

[416] supportedLDAPVersion: value = 3

[416] Server type for unknown

[416] Performing Simple authentication for testuser to

[416] Authentication successful for testuser to

[416] Retrieving user attributes from server

[416] Fiber exit Tx=214 bytes Rx=3805 bytes, status=-3

[416] Session End

ERROR: Authentication Error: No error


Please note the exit status was "-3" but not "1", I think the reason is because the step "Retrieving user attributes from server" is incomplete or incorrect. Because I have no access to the eDirectory server, my questions:

1. how can I get mor debug info from ASA?

2. Any hints for configuring ASA?

Many thanks


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Tue, 10/16/2007 - 06:57

The latest 7.2.x builds have some more debugging information for LDAP from previous images. Also the debugs don't seem to recognize the server. It says it is "unknown". If possible upgrade to latest image or do a temporary upgrade to an interim 7.2(1)24 or 25 and attempt the VPN session again.

kelvindam Wed, 11/14/2007 - 01:05

on the latest ASA/PIX 8, i got ldap authentication to work against a Novell server with this config :

aaa-server LDAP protocol ldap

aaa-server LDAP host (inside-ip)

server-port 636

ldap-base-dn ou=org,o=tree

ldap-scope subtree

ldap-login-password *

ldap-login-dn cn=nysuper,ou=org,o=tree

ldap-over-ssl enable

server-type novell



hamza_sid23 Wed, 12/12/2007 - 01:54


Even i am trying , i am able to authenticate through LDAP ,but it is not allowing me to change password through VPN client.

if i use ldap over ssl command do i need to do changes on Ldap server bec this command is required for password maangemnt.

When we say password management can users change their password through VPN client as he does with local windows machine.


rickan2000 Mon, 12/24/2007 - 17:58

Thanks for all above replies. I updated the ASA image to 8.02 and the LDAP authentication works since then.


This Discussion