Please try username as ldap

algorithm334411221 · ‎09-28-2015

Hi i am trying to get ASA to authenticate vpn users based on their AD account. i am using the following settings.

i have verified that its getting to the ldap server (DC). In cisco asdm, i see the following error:

i turned on debugging in the asa itself and i see the following error.

[-2147483629] Simple authentication for ladp_search returned code (49) Invalid credentials
[-2147483629] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483629] Fiber exit Tx=223 bytes Rx=721 bytes, status=-2
[-2147483629] Session End

i then used ldp.exe tool in the DC to test the ldap_search account i was using and i was able to connect/bind and access all the OUs using the same account/password. Looks the the problem only happens if i try to connect using the ASA.

not sure what i am doing wrong or if i am missing any setting... any help would be appreciated.

thanks.

Jagdeep Gambhir · ‎09-29-2015

Please try username as ldap_search@home.local and see if that fix the issue. Also make sure that user is member of account operator or domain admin group in AD.

Regards,

~JG

Do rate helpful posts

algorithm334411221 · ‎09-29-2015

Thank you Jagdeep. i got it to work yesterday. problem was with login DN. i was using username instead of display name.

as for being part of account operator group, i think that is only required if you want to do password management over vpn. the ldap_Search account i created is just a regular user account without any special rights.

Jagdeep Gambhir · ‎10-03-2015

Yes, that is correct.

LDAP and ASA