ASA LDAP Authentication AD Permissions

sbader48220 · ‎09-25-2009

Does anyone know which specific permissions within Microsoft AD the username programmed into the ASA for LDAP authentication needs to have? The documentation just states that the username needs to be an administrator within active directory, but I don't want to make the account a member of the domain admins group if it is not necessary. I'd like to be as granular as possible.

We are going to be doing password management on the ASA so users can change their passwords when they expire. I'm not sure if that makes a difference on the permissions necessary.

Thanks,

-Steve

Jatin Katyal · ‎09-25-2009

Hi Steve,

The admin user should have full read-only access to query/read the full directory/structure.

This is what you need to enable password change feature for VPN users on ASA.

LDAP configuration on ASA

--------------------------------------

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host server-port 636

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

ldap-over-ssl enable

server-type Microsoft

NOTE: This will only work with secure LDAP TCP 636

VPN configuration on ASA

------------------------------------------

tunnel-group DefaultWEBVPNGroup type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group LDAP-AD

default-group-policy DfltGrpPolicy

password-management password-expire-in-days

Settings on the LDAP server

--------------------------------------

We can create a new user account with password settings "user must change password at next logon" or specific number of days whenever you allow users to change their password.

HTH

Regards,

JK

~Jatin