ACS 5.1 with LDAP

Unanswered Question
Nov 21st, 2010
User Badges:

i want the configuration steps that integrate ACS with LDAP , and i want to match the attributes of specific domain user "like sAMAccount" , and apply access control policy on this specific LDAP username .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loading.
Federico Lovison Thu, 11/25/2010 - 07:51
User Badges:
  • Cisco Employee,

Hi Hany Ibrahim,


AD used as an LDAP ID store is not different than any other LDAP servers.


There are just few points to consider which are  specific to the AD LDAP impementation:

- Server port: you can use the standard port TCP/389 or TCP/3268 that is the Global Catalog

- Subject Objectclass: Person

- Subject Name Attribute: samAccountName

- Group Objectclass: Group

- Group Map Attribute: this depends on the config for the "Subject Objects Contain Reference To Groups" vs. "Group Objects Contain Reference To Subjects":

* Subject Objects Contain Reference To Groups => Group Map Attribute: memberOf

* Group Objects Contain Reference To Subjects => Group Map Attribute: member

   In this case, make sure that the "                    Subjects In Groups Are Stored In Member Attribute As" => Distinguished Name


In general the LDAP config on ACS 5.1 is covered here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1138165


If you then want to map additional attributes, you have to add them on the "Directory Attributes" page of the ACS for the LDAP instance:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1166571


These attributes can be retrieved from the Authorization policy picking those attributes from the dictionary that is defined by ACS for the specific LDAP instance.

For example, if you have an attribute "Country" on the LDAP instance that you called "MyLDAPServer", then you will have a dictionary called "MyLDAPServer", and you will be able to add the attribute in the form "MyLDAPServer:Country" to the condition list.


You can find more about managing policies at:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html



I hope this answers your questions even though it may be a bit generic.

Indeed, LDAP is a very flexible ID Store, but you do have to know what the LDAP structure looks like and what attributes you need to check for.

Then, if this is clear, the ACS configuration guide should be detailed enough to allow you to translate your requirements into the ACS config.


Thank you!


Regards,

Federico


--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Actions

This Discussion