ASA 8.0.4 and LDAP authenication and groups.

Unanswered Question
Sep 2nd, 2009
User Badges:

I got plain old LDAP authentication to work with my ASA (using OpenLDAP) but now I'm trying to get ldap groups working... Here is the scoop:

All my users are in ou=People,dc=acme,dc=com.

I only want users (from the People tree) who are a member of cn=vpnusers,ou=groups,dc=acme,dc=com to be able to log in.. So that would be a subset of the user in the 'People' tree.

Is this possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
draper7 Thu, 09/10/2009 - 12:44
User Badges:

You'll need to use LDAP Attribute Mapping which your probably aware of but it has to be exact, this will help:

asa# debug ldap 255

asa# test aaa authorization LDAPGROUP host username johnchambers

asa# un all

Scroll up and find your group, cn=vpnusers,ou=groups,dc=acme,dc=com.

You'll need to copy the mapped value exactly (ie: mapped to IETF-Radius-Class: value = ). Paste that in your attribute-map.

asa# show run ldap attribute-map group-mapping

ldap attribute-map group-mapping

map-name memberOf IETF-Radius-Class

map-value memberOf "" grouppolicy

If you don't want users to be able to login set your default group policy in the profile to a group policy that doesn't have a tunnel protocol,etc (something that won't work). If they match the memberOf group mapping they'll get thrown into a working group policy.

Maybe that makes sense. Let me know.


Chris Alavoine Thu, 04/01/2010 - 02:21
User Badges:

Hi draper7,

I've tried your debugging tips on my openLDAP server, but unfortunately the group (in my case, cn=vpn,ou=Groups,dc=essence) doesn't exist.

I've tried adding the memberOf via LDIF using the following:

dn: cn=vpn,ou=Groups,dc=essence

objectclass: groupOfNames

cn: vpn

member: userid=chris.alavoine,ou=Users,dc=essence

This seems to add the correct group into LDAP. I'm using phpLDAPadmin to look at my database and the vpn group appears with chris.alavoine as a group member.
Am I missing something?
Any help much appreciated.
draper7 Thu, 04/01/2010 - 06:16
User Badges:

Can you copy and paste the output of:

asa# debug ldap 255

asa# test  aaa authorization LDAPGROUP host username  johnchambers

asa# un all



draper7 Thu, 04/01/2010 - 08:18
User Badges:

Hrmmm, not what I was hoping for...  Can you copy/paste the output from:

show run aaa-server ess-ldap-group

You might want to edit the prior post and remove some stuff .


draper7 Thu, 04/01/2010 - 08:43
User Badges:

Double check your basedn in your openldap config... maybe?

aaa-server ess-ldap-group (inside) host 192.168.x.x
ldap-base-dn dc=essence, dc=com


Chris Alavoine Thu, 04/01/2010 - 08:48
User Badges:

Yep, tried all that unfortunately.

I think the problem lies with my openLDAP database and the way it's been set up. I inherited this so wasn't able to put the group settings in from the start.

The fact that no group settings are found when doing a debug ldap 255 is where it's going wrong I think.


Jennifer Halim Sat, 04/03/2010 - 00:40
User Badges:
  • Cisco Employee,

Hi Chris,

Based on your ldap debug, the ldap does not return/passing "memberOf" attribute, and you have configured "memberOf" to match it, hence the ldap attribute mapping is not mapping it correctly to the group-policy.

On your Open LDAP, you can configure memberOf overlay so the memberOf attribute can be passed to the ASA for attribute mapping.

Alternatively, you can match on other attribute of LDAP which is unique and configure the corresponding "map-value" on ASA.

Hope that helps.

Jennifer Halim Sat, 04/03/2010 - 06:05
User Badges:
  • Cisco Employee,

I've looked through the debug output, and it seems that the ldap server does not provide too much information (relevant attributes), in particularly which group the user belongs to that can be used to map it in ldap attribute mapping on ASA.

Is there anyway to configure the ldap server to send more attributes (something similar to memberOf value)? it doesn't have to be the attribute "memberOf" as long as it can send attributes similar to memberOf, then we can use that attribute to map it.

Chris Alavoine Tue, 04/06/2010 - 05:38
User Badges:

I spoke too soon.

The usernames are being authorized ok, but the passwords are not. Doh!

Still need to make some adjustments to openLDAP I think. I wish I knew where to start.


Chris Alavoine Thu, 04/08/2010 - 07:25
User Badges:

Ok, it's definitely working now.

I ended up mapping the gecos attribute to IETF-Radius-Class.

On user creation I enter either "vpn" or "novpn" into the gecos (comment) attribute.

I then have an attribute map on the ASA which assigns "vpn" to an open VPN Group Policy and "novpn" to a closed VPN Group Policy.

Phew! Only took me about 6 weeks to get this working.

Thanks for all you help guys.




This Discussion