anyconnect needs ldap-login-dn administrative account to authenticate

jskrawczyk · ‎03-25-2010

Hi,

I'm testing out anyconnect on a spare 5505. SO far I think this is a great product and I did move to purchase the full license set for my test ASA5505 and prod 5520. Once issue I need to resolve that I am not comfortable with is how my ASA authenticates to my AD domain. I'm using my domain admin prviledged account rather than a typical user account in the configuration for variable ldap-login-dn. If I configure using the user account, I cannot login to the VPN session.

Anyone have any input on this?

Thank you

Jeff

Jennifer Halim · ‎03-25-2010

Yes, the LDAP binding to the ASA with the "ldap-login-dn" needs to be a user with administrative privileges.

jimsiff · ‎03-28-2010

I believe that is incorrect. The only thing the LDAP account needs is read access to the Base DN for user accounts (and all required levels below the Base DN) and the scope of the search (one or all levels below Base DN). The same requirements exist for the LDAP Group Search.

A good test is to try to open AD Users and Computers as a standard user, or browse the LDAP tree using one of many free LDAP browsers, bound as a standard user. If you can't read the Base DN for user or group lookup, authentication will fail.

Jennifer Halim · ‎03-28-2010

If you are using ldap attribute mapping, the admin privelege is required for ldap binding otherwise, it won't include the memberOf attribute that ldap attribute mapping uses to map it to a particular group-policy. Same if DAP is used to map ldap memberOf group into specific policy.

jimsiff · ‎03-28-2010

Interesting. That hasn't been my experience. I'm using a basic Domain User with bare minimum priviliges for LDAPS lookups. I have LDAP Attribute Maps mapping LDAP group membership to Cisco Group Policy, and DAPs checking LDAP memberOf AAA attributes. It all seems to work fine for me.

I'm not sure why Admin rights would ever be required unless you were trying to read an LDAP container that had restricted Read access to just an Admin group.

From http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00808c3c45.shtml

Login DN—the DN with enough privileges in order to be able to search/lread/lookup users in the LDAP server

Jennifer Halim · ‎03-28-2010

It's correct if it's used purely for authentication.

According to the command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l1.html#wp1672472

"The Login DN field describes the authentication characteristics of the adaptive security appliance. These characteristics should correspond to those of a user with administrator privileges."

Here is another article that specify the use of admin for LDAP binding:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

"The ASA binds to the LDAP server with the credentials configured on the ASA (Administrator in this case) and looks up the provided username."

jimsiff · ‎03-28-2010

Thanks for your time and references. It is interesting to see conflicting documentation and user experiences. In any case, I hope the OP gets LDAP working in a manner he's comfortable with. Cheers...