ASA 8.0.4 and LDAP authenication and groups.

Unanswered Question
Sep 2nd, 2009

I got plain old LDAP authentication to work with my ASA (using OpenLDAP) but now I'm trying to get ldap groups working... Here is the scoop:

All my users are in ou=People,dc=acme,dc=com.

I only want users (from the People tree) who are a member of cn=vpnusers,ou=groups,dc=acme,dc=com to be able to log in.. So that would be a subset of the user in the 'People' tree.

Is this possible?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
draper7 Thu, 09/10/2009 - 12:44

You'll need to use LDAP Attribute Mapping which your probably aware of but it has to be exact, this will help:

asa# debug ldap 255

asa# test aaa authorization LDAPGROUP host openldap.acme.com username johnchambers

asa# un all

Scroll up and find your group, cn=vpnusers,ou=groups,dc=acme,dc=com.

You'll need to copy the mapped value exactly (ie: mapped to IETF-Radius-Class: value = ). Paste that in your attribute-map.

asa# show run ldap attribute-map group-mapping

ldap attribute-map group-mapping

map-name memberOf IETF-Radius-Class

map-value memberOf "" grouppolicy

If you don't want users to be able to login set your default group policy in the profile to a group policy that doesn't have a tunnel protocol,etc (something that won't work). If they match the memberOf group mapping they'll get thrown into a working group policy.

Maybe that makes sense. Let me know.

-D

Chris Alavoine Thu, 04/01/2010 - 02:21

Hi draper7,

I've tried your debugging tips on my openLDAP server, but unfortunately the group (in my case, cn=vpn,ou=Groups,dc=essence) doesn't exist.

I've tried adding the memberOf via LDIF using the following:

dn: cn=vpn,ou=Groups,dc=essence

objectclass: groupOfNames

cn: vpn

member: userid=chris.alavoine,ou=Users,dc=essence

This seems to add the correct group into LDAP. I'm using phpLDAPadmin to look at my database and the vpn group appears with chris.alavoine as a group member.
Am I missing something?
Any help much appreciated.
Chris.
draper7 Thu, 04/01/2010 - 06:16

Can you copy and paste the output of:

asa# debug ldap 255

asa# test  aaa authorization LDAPGROUP host openldap.acme.com username  johnchambers

asa# un all

Thanks,

-Dusty

draper7 Thu, 04/01/2010 - 08:18

Hrmmm, not what I was hoping for...  Can you copy/paste the output from:

show run aaa-server ess-ldap-group

You might want to edit the prior post and remove some stuff .

-Dusty

draper7 Thu, 04/01/2010 - 08:43

Double check your basedn in your openldap config... maybe?

aaa-server ess-ldap-group (inside) host 192.168.x.x
ldap-base-dn dc=essence, dc=com

-=Dusty

Chris Alavoine Thu, 04/01/2010 - 08:48

Yep, tried all that unfortunately.

I think the problem lies with my openLDAP database and the way it's been set up. I inherited this so wasn't able to put the group settings in from the start.

The fact that no group settings are found when doing a debug ldap 255 is where it's going wrong I think.

c:)

Jennifer Halim Sat, 04/03/2010 - 00:40

Hi Chris,

Based on your ldap debug, the ldap does not return/passing "memberOf" attribute, and you have configured "memberOf" to match it, hence the ldap attribute mapping is not mapping it correctly to the group-policy.

On your Open LDAP, you can configure memberOf overlay so the memberOf attribute can be passed to the ASA for attribute mapping.

Alternatively, you can match on other attribute of LDAP which is unique and configure the corresponding "map-value" on ASA.

Hope that helps.

Jennifer Halim Sat, 04/03/2010 - 06:05

I've looked through the debug output, and it seems that the ldap server does not provide too much information (relevant attributes), in particularly which group the user belongs to that can be used to map it in ldap attribute mapping on ASA.

Is there anyway to configure the ldap server to send more attributes (something similar to memberOf value)? it doesn't have to be the attribute "memberOf" as long as it can send attributes similar to memberOf, then we can use that attribute to map it.

Chris Alavoine Tue, 04/06/2010 - 05:38

I spoke too soon.

The usernames are being authorized ok, but the passwords are not. Doh!

Still need to make some adjustments to openLDAP I think. I wish I knew where to start.

c:)

Chris Alavoine Thu, 04/08/2010 - 07:25

Ok, it's definitely working now.

I ended up mapping the gecos attribute to IETF-Radius-Class.

On user creation I enter either "vpn" or "novpn" into the gecos (comment) attribute.

I then have an attribute map on the ASA which assigns "vpn" to an open VPN Group Policy and "novpn" to a closed VPN Group Policy.

Phew! Only took me about 6 weeks to get this working.

Thanks for all you help guys.

Regards,

Chris.

Actions

This Discussion