i wrote this document up a while back for a client. maybe it has something useful to you:
LDAP VPN Authentication
&
Group Policy Assignment on the ASA
The following links were useful in creating the configuration for LDAP authentication and group policy assignment:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
There are a few caveats when configuring this on the ASA. The LDAP account used to bind and authenticate users is based on the display name in Active Directory, not the username, and should contain no spaces. This account must either be in the built-in Account Operators group, or assigned the change password permissions in Active Directory, if using the password management feature, otherwise, a regular domain account may be used. To see what exactly should be used in the aaa-server LDAP configuration, run the following command from a DOS prompt on the Windows AD server:
dsquery user -samid username
The output of this command should be used in the aaa-server section for the LDAP server.
Spaces are allowed in the LDAP attribute mappings, however, as long as quotations are used around the entire LDAP path. The 'memberOf' attribute is the AD LDAP attribute used to map to the specific group-policy on the ASA appliance.
Password-management, the ability for the remote VPN user to change their Active Directory password relies on the use of LDAP over SSL, as seen in the example configuration that follows at the end of this document. Once users are assigned their group polices, any configuration under that group-policy is applied to them as usual. This can include VPN filters (ACL's), a different DHCP scope, different DNS servers, etc. Most problems associated with this configuration can be traced back to the LDAP syntax used.
An example VPN configuration follows, using LDAP as the backend authentication server to assign group-policies:
crypto dynamic-map REMOTEVPN 5 set transform-set ets3des
crypto map emap 65535 ipsec-isakmp dynamic REMOTEVPN
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPNGROUP1,OU=Domain Accounts,DC=domain,DC=com" VPNGROUP1
map-value memberOf "CN=VPNGROUP2,OU=Domain Accounts,DC=domain,DC=com" VPNGROUP2
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host x.x.x.x
ldap-base-dn DC=domain,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=asaadmin,CN=Users,DC=domain,DC=com
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map CISCOMAP
ip local pool vpnpool 192.168.0.1-192.168.0.254 mask 255.255.255.0
access-list acl1_name permit ip 192.168.0.0 255.255.255.0 x.x.x.x z.z.z.z
access-list acl2_name permit ip 192.168.0.0 255.255.255.0 y.y.y.y z.z.z.z
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
address-pool vpnpool
authentication-server-group LDAP
password-management
tunnel-group vpngroup ipsec-attributes
pre-shared-key *
group-policy VPNGROUP1 internal
group-policy VPNGROUP1 attributes
dns-server value x.x.x.x
vpn-tunnel-protocol IPSec
default-domain value domain.com
vpn-filter value acl1_name
group-policy VPNGROUP2 internal
group-policy VPNGROUP2 attributes
dns-server value x.x.x.x
vpn-tunnel-protocol IPSec
default-domain value domain.com
vpn_filter value acl2_name
