ASA 5520: Retrieve user, group -and- lanlist (ACL) from openldap

Unanswered Question
Jan 23rd, 2009
User Badges:


while migrating from a VPN Concentrator 3000 to ASA 5520 (IOS 8.0.4), we'd like to put all VPN-related configuration settings in an openldap server (2.3.27).

We have trouble finding ways to put group settings, LanLists (as they were called on the Concentratror, or ACLs) and Lan2Lan configurations in LDAP.

Authenticating users through openldap works, and there seems to be a aaa-server command "ldap-group-dn-base", but it seems this is only used in conjunction with Active Directory, while we only use openldap.

Furthermore, ACL's seem to be indices refering to ACLs locally stored on the ASA: how to put the complete ACL in LDAP?

Preferred LDAP configuration:

VPN-users: ou=users,dc=vpn,dc=COMPANY,dc=com

VPN-groups: ou=groups,dc=vpn,dc=COMPANY,dc=com

VPN-L2L: ou=lantolan,dc=vpn,dc=COMPANY,dc=com

How to refer the ASA to an entry in ou=groups,... from an entry residing in ou=users?

Same question for LanLists. Is this possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Fri, 01/23/2009 - 10:06
User Badges:
  • Cisco Employee,

ASA has a feature called LDAP attribute map, in which you can map any value that you have on your LDAP database to Cisco AV pairs or Radius Values that the ASA will understand and use accordingly. For instance there are some CVPN3000 attributes which you can map the ldap values to and the ASA will use those.

This is an example how this works.

siennax Sun, 01/25/2009 - 23:40
User Badges:

Thank you. I did find the attribute map option, but the manuals and explanations that describe this feature all refer to group-settings (ACLs etc) that are _already configured_ on the ASA. They refer to a groupname or ACL-name that is "known" in the ASA configuration.

What we'd like to do is put -all- possible group, ACL, lan2lanlists, data in ldap. So when a user authenticates:

1. his user-credentials are checked against LDAP and relevant configurations (using attribute maps) are loaded into the ASA

2. his group-credentials are checked against LDAP and relevant group-configurations (using attribute maps) are loaded into the ASA

3. possible lan/network-lists to which his group-information refers, are loaded from LDAP into the ASA.

Perhaps I'm missing something, but I've found only ways to put the _name_ (/ID) of these settings in LDAP, referring to settings/configurations already existing in the ASA. I'd like to put _all_ the settings/configurations in LDAP as well.


This Discussion