Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
832
Views
4
Helpful
1
Replies

ACS 5.1 with LDAP

hany_ibrahim
Level 1
Level 1

‎11-21-2010 10:21 AM - edited ‎03-10-2019 05:35 PM

i want the configuration steps that integrate ACS with LDAP , and i want to match the attributes of specific domain user "like sAMAccount" , and apply access control policy on this specific LDAP username .

Labels:
0 Helpful
1 Reply 1

Federico Lovison
Cisco Employee
Cisco Employee

‎11-25-2010 07:51 AM

Hi Hany Ibrahim,

AD used as an LDAP ID store is not different than any other LDAP servers.

There are just few points to consider which are  specific to the AD LDAP impementation:

- Server port: you can use the standard port TCP/389 or TCP/3268 that is the Global Catalog

- Subject Objectclass: Person

- Subject Name Attribute: samAccountName

- Group Objectclass: Group

- Group Map Attribute: this depends on the config for the "Subject Objects Contain Reference To Groups" vs. "Group Objects Contain Reference To Subjects":

* Subject Objects Contain Reference To Groups => Group Map Attribute: memberOf

* Group Objects Contain Reference To Subjects => Group Map Attribute: member

   In this case, make sure that the "                    Subjects In Groups Are Stored In Member Attribute As" => Distinguished Name

In general the LDAP config on ACS 5.1 is covered here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1138165

If you then want to map additional attributes, you have to add them on the "Directory Attributes" page of the ACS for the LDAP instance:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1166571

These attributes can be retrieved from the Authorization policy picking those attributes from the dictionary that is defined by ACS for the specific LDAP instance.

For example, if you have an attribute "Country" on the LDAP instance that you called "MyLDAPServer", then you will have a dictionary called "MyLDAPServer", and you will be able to add the attribute in the form "MyLDAPServer:Country" to the condition list.

You can find more about managing policies at:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html


I hope this answers your questions even though it may be a bit generic.

Indeed, LDAP is a very flexible ID Store, but you do have to know what the LDAP structure looks like and what attributes you need to check for.

Then, if this is clear, the ACS configuration guide should be detailed enough to allow you to translate your requirements into the ACS config.

Thank you!

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Customers Also Viewed These Support Documents