ASA8,0(3)6 SSL VPN & Sun One LDAP Groups

Unanswered Question
Jun 20th, 2008
User Badges:

First time working with an ASA and LDAP. We're trying to require users to be part of a vpnusers group in a Sun One 5.2 directory. The ASA config examples all seem to assume that group membership values are assigned to the user object in LDAP. It's not the case in our Sun LDAP. Groups are separate objects with the members defined in the group object with "uniquemember". Determining group membership requires a query of the group for the uid or dn of the user to see if they're a member. I can't find any examples of the ASA working with this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
thammerle Thu, 06/26/2008 - 10:51
User Badges:

There is a fundamental ldap object structure at issue. All of the Cisco configuration guides call out the user object having the "memberof" attribute. In our Sun One directory user objects do not have any "memberof" attributes. User objects are contained within group objects using the "uniquemember" attribute. So to determine group membership in the Sun directory you can't query a user object's memberof attribute. you have to query the group for the user object.

None of the Cisco guides I've seen contain any reference to this method. They're all referring to 'memberof' as a user object attribute.




This Discussion