Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
2
Replies

Configure LDAP on Cisco ACS SE 4.2

dpatkins
Level 1
Level 1

‎04-07-2009 10:20 AM - edited ‎03-10-2019 04:25 PM

I am trying to finalize testing on using LDAP to authenticate as opposed to using the Cisco ACS agent.

I am obvioulsy not an LDAP guru so some of the attributes make no sense.

How does one determine what goes in these fields: Is it an actual name or a predefined field such as "cn" or "memberof"

User Directory Subtree

Group Directory Subtree

UserObjectType

UserObjectClass

GroupObjectType

GroupObjectClass

Group Attribute Name

my second issue is, we have certain personnel assigned to certain groups. If I am assigned to ACSauth and someone else is assigned to otherAuth group, do I need two different entries in the LDAP for this? How do I make sure that both have authentication privileges?

Thanks

Dwane

Labels:
0 Helpful
2 Replies 2

Ivan Martinon
Level 7
Level 7

‎04-08-2009 06:58 AM

One good tool that will help you out with these attributes is "Softerra LDAP browser" which is a freeware, however if you are using AD as the server some are already well known, for instance you would need to go ahead and connect to your AD and run the following command:

"dsquery user -name 'username'" (no quotes)

That will give you the whole path in ldap syntax to where the user lies and you can use the whole chain up to the username as the user directory subtree, it should through something like"

"CN=Administrator,CN=Users,DC=LATAM,DC=SEC"

From this you can use

CN=Users,DC=LATAM,DC=SEC

the other option Group directory are where your groups are and should be similar to the above:

UserObjectType

Most of the times is "cn"

UserObjectClass

Most of the times is "person"

GroupObjectType

Most of the times is "cn"

GroupObjectClass

Most of the times is "group"

Group Attribute Name

"member"

Mhh.. I believe since ACS does not have the query type option you would need to define an ldap context for group.. (ldap query type one level or sub tree)

0 Helpful

dpatkins
Level 1
Level 1
In response to Ivan Martinon

‎05-28-2009 06:54 AM

I have LDAP working via ACS using the OU function. So it is user Subtree OU=accounting,DC=win,DC=mydomain,DC=com. The issue is that I need for all authenticated users to be able to use LDAP. Is there a way to make a wildcard such as OU=* ?

Any ideas?

Dwane

0 Helpful
Customers Also Viewed These Support Documents