09-02-2009 11:18 PM - edited 02-21-2020 03:39 AM
I got plain old LDAP authentication to work with my ASA (using OpenLDAP) but now I'm trying to get ldap groups working... Here is the scoop:
All my users are in ou=People,dc=acme,dc=com.
I only want users (from the People tree) who are a member of cn=vpnusers,ou=groups,dc=acme,dc=com to be able to log in.. So that would be a subset of the user in the 'People' tree.
Is this possible?
09-10-2009 12:44 PM
You'll need to use LDAP Attribute Mapping which your probably aware of but it has to be exact, this will help:
asa# debug ldap 255
asa# test aaa authorization LDAPGROUP host openldap.acme.com username johnchambers
asa# un all
Scroll up and find your group, cn=vpnusers,ou=groups,dc=acme,dc=com.
You'll need to copy the mapped value exactly (ie: mapped to IETF-Radius-Class: value =
asa# show run ldap attribute-map group-mapping
ldap attribute-map group-mapping
map-name memberOf IETF-Radius-Class
map-value memberOf "
If you don't want users to be able to login set your default group policy in the profile to a group policy that doesn't have a tunnel protocol,etc (something that won't work). If they match the memberOf group mapping they'll get thrown into a working group policy.
Maybe that makes sense. Let me know.
-D
04-01-2010 02:21 AM
Hi draper7,
I've tried your debugging tips on my openLDAP server, but unfortunately the group (in my case, cn=vpn,ou=Groups,dc=essence) doesn't exist.
I've tried adding the memberOf via LDIF using the following:
dn: cn=vpn,ou=Groups,dc=essence
objectclass: groupOfNames
cn: vpn
member: userid=chris.alavoine,ou=Users,dc=essence
04-01-2010 06:16 AM
Can you copy and paste the output of:
asa# debug ldap 255
asa# test aaa authorization LDAPGROUP host openldap.acme.com username johnchambers
asa# un all
Thanks,
-Dusty
04-01-2010 08:18 AM
Hi Dusty,
Thanks for replying so swiftly
04-01-2010 08:18 AM
Hrmmm, not what I was hoping for... Can you copy/paste the output from:
show run aaa-server ess-ldap-group
You might want to edit the prior post and remove some stuff .
-Dusty
04-01-2010 08:43 AM
Hiya,
Chris.
04-01-2010 08:43 AM
Double check your basedn in your openldap config... maybe?
aaa-server ess-ldap-group (inside) host 192.168.x.x
ldap-base-dn dc=essence, dc=com
-=Dusty
04-01-2010 08:48 AM
Yep, tried all that unfortunately.
I think the problem lies with my openLDAP database and the way it's been set up. I inherited this so wasn't able to put the group settings in from the start.
The fact that no group settings are found when doing a debug ldap 255 is where it's going wrong I think.
c:)
04-03-2010 12:40 AM
Hi Chris,
Based on your ldap debug, the ldap does not return/passing "memberOf" attribute, and you have configured "memberOf" to match it, hence the ldap attribute mapping is not mapping it correctly to the group-policy.
On your Open LDAP, you can configure memberOf overlay so the memberOf attribute can be passed to the ASA for attribute mapping.
Alternatively, you can match on other attribute of LDAP which is unique and configure the corresponding "map-value" on ASA.
Hope that helps.
04-03-2010 06:05 AM
test
04-03-2010 06:05 AM
I've looked through the debug output, and it seems that the ldap server does not provide too much information (relevant attributes), in particularly which group the user belongs to that can be used to map it in ldap attribute mapping on ASA.
Is there anyway to configure the ldap server to send more attributes (something similar to memberOf value)? it doesn't have to be the attribute "memberOf" as long as it can send attributes similar to memberOf, then we can use that attribute to map it.
04-06-2010 05:38 AM
test
04-06-2010 05:38 AM
I spoke too soon.
The usernames are being authorized ok, but the passwords are not. Doh!
Still need to make some adjustments to openLDAP I think. I wish I knew where to start.
c:)
04-08-2010 07:25 AM
Ok, it's definitely working now.
I ended up mapping the gecos attribute to IETF-Radius-Class.
On user creation I enter either "vpn" or "novpn" into the gecos (comment) attribute.
I then have an attribute map on the ASA which assigns "vpn" to an open VPN Group Policy and "novpn" to a closed VPN Group Policy.
Phew! Only took me about 6 weeks to get this working.
Thanks for all you help guys.
Regards,
Chris.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: