09-10-2008 09:01 AM - edited 03-10-2019 04:04 PM
I have configured client to gateway VPN's to authenticate with AD using Kerberos.
What I am trying to do is get LDAP authorization to only allow members of a certain OU to log in. Is this possible by setting the DN to look at one folder and only allow one level on the server configuration on the ASA?
09-10-2008 09:27 AM
Try something like this,
aaa-server LDAP-AUTHO protocol ldap
aaa-server LDAP-AUTHO (inside) host
ldap-base-dn DC=TEST,DC=COM
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=admin,CN=Users,DC=TEST,DC=COM
server-type microsoft
ldap-attribute-map AD-map
ldap attribute-map AD-map
map-name memberOf Tunnel-Group-Lock
map-value memberOf CN=CiscoVPN,CN=Users,DC=TEST,DC=COM
tunnel-group
authorization-server-group LDAP-AUTHO
Regards,
Prem
Please rate if it helps!
09-10-2008 09:34 AM
Thanks! The piece I am missing is the attribute map. I will try and let you know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide