topic LDAP memberOf maps OK first login attempt, but not on later ones in Network Access Control

LDAP memberOf maps OK first login attempt, but not on later ones

desmith — Mon, 11 Mar 2019 02:36:18 GMT

Hello!

I'm seeing a very weird problem: I'm trying to use LDAP memberOf values to map users at login into different ASA groups, with different policies.

This mapping works on the first login, but not thereafter (until/unless a break of many hours occurs, and then it works on the first login *again*).

Excerpt from "debug ldap 255":

First attempt:

[11258] memberOf: value = CN=Split-tunnel,CN=Users,DC=ldproducts,DC=local

[11258] mapped to IETF-Radius-Class: value = Split-Tunnel-Group

[11258] uSNChanged: value = 6995298

Second, third, etc. attempts:

[11261] memberOf: value = CN=Split-tunnel,CN=Users,DC=ldproducts,DC=local

[11261] uSNChanged: value = 7127750

Hmmm...very odd.

Any suggestions would be greatly appreciated!

Deb

desmith — Thu, 27 Sep 2012 18:57:52 GMT

I neglected to mention that the configuration in question is on an ASA 5520 active/standby pair, running 8.2.1.

jim — Sun, 30 Sep 2012 09:00:43 GMT

I am certainly not Cisco expert, but from a LDAP perspective, I do not think the memberOf attribute will be reliable.

memberOf is an operationanal, (ie not user updatable), server side set recirpical value of the member Attribute from the group entry.

So when a user is added to a group which by adding the DN of the user to the Group's Member attribute, the USN of the Group changes.

However, the USN of the user does NOT change.

In addtion, no nested group entries would ever be represented within the memberOf attribute.

To accurateley determine which groups the user is a member of you should use a query for all groups similer to:

(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))

-jim