I am planning to implement SSL VPN on ASA 8.2.1.
For example, I create the following 2 DAP records to assign different access right.
Policy Name: Sales DAP
ldap.memberOf = Sales
Policy Name: Engineering DAP
ldap.memberOf = Engineering
The following group polices are already configured on ASA.
If userA who is a member of Sales OU in Active directory access ASA, how ASA know userA should be associated with GP_sales?
With DAP , a VPN remote access session can inherit multiple rule sets (entitlements,authorization/access attributes) based on the varius DAPs that match.
Here's a simple example: if a Clientless SSL VPN VPN session matches DAP 1 (bookmark_list 1 and book_mark_list2) and DAP 2 (bookmark_list3), then the resulting entitlement for the session is the aggregation/merge of 3 bookmark_lists on the users portal (bookmark_list 1+ book_mark_list2+bookmark_list3).
The VPN session is still associated with only a single group policy, but the access attributes configured in DAP will override the ones in the group-policy. So in this example if the session is associated with group-policyA which only has a single bookmark_list4, the bookmarkslists 1-3 will apply to the VPN session, and not bookmark_list4.
Since a VPN session can only be assigned/associated with a single Group-Policy, the concept mergeing/aggrgating group policies doesn't exist. Hence the need for the DAPs.
As you know, currently the DAP doesn't have the ability to set all attributes like the group-policy's Banner, Smart-tunnel-list,DNS,IP pool, etc.
That's why a remote access VPN session's resulting entitlement/authorization policy = (DAP access/authorization attributes+ AAA attributes+group-policy attributes+DfltGrpPolicy attributes).
You have to configure LDAP Server in your ASA and LDAP attribute is mapped with Cisco Attribute.(LDAP memberOf is mappe to GroupPolicy)
Then you have to configure LDAP Attribute mapping