ASA LDAP Authentication AD Permissions

Unanswered Question
Sep 25th, 2009
User Badges:

Does anyone know which specific permissions within Microsoft AD the username programmed into the ASA for LDAP authentication needs to have? The documentation just states that the username needs to be an administrator within active directory, but I don't want to make the account a member of the domain admins group if it is not necessary. I'd like to be as granular as possible.


We are going to be doing password management on the ASA so users can change their passwords when they expire. I'm not sure if that makes a difference on the permissions necessary.


Thanks,


-Steve

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jatin Katyal Fri, 09/25/2009 - 08:07
User Badges:
  • Cisco Employee,

Hi Steve,


The admin user should have full read-only access to query/read the full directory/structure.


This is what you need to enable password change feature for VPN users on ASA.


LDAP configuration on ASA

--------------------------------------


aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host server-port 636

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

ldap-over-ssl enable

server-type Microsoft


NOTE: This will only work with secure LDAP TCP 636



VPN configuration on ASA

------------------------------------------


tunnel-group DefaultWEBVPNGroup type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group LDAP-AD

default-group-policy DfltGrpPolicy

password-management password-expire-in-days


Settings on the LDAP server

--------------------------------------


We can create a new user account with password settings "user must change password at next logon" or specific number of days whenever you allow users to change their password.


HTH


Regards,

JK

Actions

This Discussion