Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.0.4 and LDAP authenication and groups.

I got plain old LDAP authentication to work with my ASA (using OpenLDAP) but now I'm trying to get ldap groups working... Here is the scoop:

All my users are in ou=People,dc=acme,dc=com.

I only want users (from the People tree) who are a member of cn=vpnusers,ou=groups,dc=acme,dc=com to be able to log in.. So that would be a subset of the user in the 'People' tree.

Is this possible?

14 REPLIES
New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

You'll need to use LDAP Attribute Mapping which your probably aware of but it has to be exact, this will help:

asa# debug ldap 255

asa# test aaa authorization LDAPGROUP host openldap.acme.com username johnchambers

asa# un all

Scroll up and find your group, cn=vpnusers,ou=groups,dc=acme,dc=com.

You'll need to copy the mapped value exactly (ie: mapped to IETF-Radius-Class: value = ). Paste that in your attribute-map.

asa# show run ldap attribute-map group-mapping

ldap attribute-map group-mapping

map-name memberOf IETF-Radius-Class

map-value memberOf "" grouppolicy

If you don't want users to be able to login set your default group policy in the profile to a group policy that doesn't have a tunnel protocol,etc (something that won't work). If they match the memberOf group mapping they'll get thrown into a working group policy.

Maybe that makes sense. Let me know.

-D

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

Hi draper7,

I've tried your debugging tips on my openLDAP server, but unfortunately the group (in my case, cn=vpn,ou=Groups,dc=essence) doesn't exist.

I've tried adding the memberOf via LDIF using the following:

dn: cn=vpn,ou=Groups,dc=essence

objectclass: groupOfNames

cn: vpn

member: userid=chris.alavoine,ou=Users,dc=essence

This seems to add the correct group into LDAP. I'm using phpLDAPadmin to look at my database and the vpn group appears with chris.alavoine as a group member.
Am I missing something?
Any help much appreciated.
Chris.
New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

Can you copy and paste the output of:

asa# debug ldap 255

asa# test  aaa authorization LDAPGROUP host openldap.acme.com username  johnchambers

asa# un all

Thanks,

-Dusty

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

Hi Dusty,

 

Thanks for replying so swiftly

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

Hrmmm, not what I was hoping for...  Can you copy/paste the output from:

show run aaa-server ess-ldap-group

You might want to edit the prior post and remove some stuff .

-Dusty

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

Hiya,

 

Chris.

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

Double check your basedn in your openldap config... maybe?

aaa-server ess-ldap-group (inside) host 192.168.x.x
ldap-base-dn dc=essence, dc=com

-=Dusty

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

Yep, tried all that unfortunately.

I think the problem lies with my openLDAP database and the way it's been set up. I inherited this so wasn't able to put the group settings in from the start.

The fact that no group settings are found when doing a debug ldap 255 is where it's going wrong I think.

c:)

Cisco Employee

Re: ASA 8.0.4 and LDAP authenication and groups.

Hi Chris,

Based on your ldap debug, the ldap does not return/passing "memberOf" attribute, and you have configured "memberOf" to match it, hence the ldap attribute mapping is not mapping it correctly to the group-policy.

On your Open LDAP, you can configure memberOf overlay so the memberOf attribute can be passed to the ASA for attribute mapping.

Alternatively, you can match on other attribute of LDAP which is unique and configure the corresponding "map-value" on ASA.

Hope that helps.

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

test

Cisco Employee

Re: ASA 8.0.4 and LDAP authenication and groups.

I've looked through the debug output, and it seems that the ldap server does not provide too much information (relevant attributes), in particularly which group the user belongs to that can be used to map it in ldap attribute mapping on ASA.

Is there anyway to configure the ldap server to send more attributes (something similar to memberOf value)? it doesn't have to be the attribute "memberOf" as long as it can send attributes similar to memberOf, then we can use that attribute to map it.

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

test

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

I spoke too soon.

The usernames are being authorized ok, but the passwords are not. Doh!

Still need to make some adjustments to openLDAP I think. I wish I knew where to start.

c:)

New Member

Re: ASA 8.0.4 and LDAP authenication and groups.

Ok, it's definitely working now.

I ended up mapping the gecos attribute to IETF-Radius-Class.

On user creation I enter either "vpn" or "novpn" into the gecos (comment) attribute.

I then have an attribute map on the ASA which assigns "vpn" to an open VPN Group Policy and "novpn" to a closed VPN Group Policy.

Phew! Only took me about 6 weeks to get this working.

Thanks for all you help guys.

Regards,

Chris.

1327
Views
0
Helpful
14
Replies