ASA LDAP Authentication AD Permissions

Unanswered Question
Sep 25th, 2009
User Badges:

Does anyone know which specific permissions within Microsoft AD the username programmed into the ASA for LDAP authentication needs to have? The documentation just states that the username needs to be an administrator within active directory, but I don't want to make the account a member of the domain admins group if it is not necessary. I'd like to be as granular as possible.

We are going to be doing password management on the ASA so users can change their passwords when they expire. I'm not sure if that makes a difference on the permissions necessary.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jatin Katyal Fri, 09/25/2009 - 08:07
User Badges:
  • Cisco Employee,

Hi Steve,

The admin user should have full read-only access to query/read the full directory/structure.

This is what you need to enable password change feature for VPN users on ASA.

LDAP configuration on ASA


aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host server-port 636


ldap-scope subtree

ldap-naming-attribute sAMAccountName



ldap-over-ssl enable

server-type Microsoft

NOTE: This will only work with secure LDAP TCP 636

VPN configuration on ASA


tunnel-group DefaultWEBVPNGroup type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group LDAP-AD

default-group-policy DfltGrpPolicy

password-management password-expire-in-days

Settings on the LDAP server


We can create a new user account with password settings "user must change password at next logon" or specific number of days whenever you allow users to change their password.





This Discussion