topic Configuring LDAP authentication in multi-domain environment in Network Access Control

Configuring LDAP authentication in multi-domain environment

abidgorsi — Mon, 11 Mar 2019 01:03:20 GMT

Hi,

I am trying to authenticate Remote VPN users via LDAP and integrate this with "Dial-in" Permission attribute of user account. It works fine for a single domain with the following conifguration.

aaa-server ldap-server (Inside) host 10.10.10.1

ldap-base-dn dc=Alpha, dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=-svc, ou=admin, dc=Alpha, dc=com

server-type microsoft

Now, this configuration requires only username/password and I can't mention domain along with. So if I wish to implement this in a multiple-domain scenario ( alpha.com, beta.com and gemma.com etc) It's not gonna work.

Please let me know if you got an idea.

If some of you could fetch the list of values we can give to "ldap-naming-attribute", I guess there could be something in there.

Cheers,

Re: Configuring LDAP authentication in multi-domain environment

Herbert Baerten — Fri, 13 May 2011 05:59:06 GMT

Hi,

this will only work if you have a Global Catalog Server (GCS) - in that case, the user can enter "username@domain" in the username field.

cfr. http://technet.microsoft.com/en-us/library/cc977998.aspx

One downside of this method is that a GCS does not allow password change operations through LDAP.

Alternatively you could create a tunnel-group per domain, each using a different LDAP server, and instruct the users to connect to the tunnel-group corresponding to their domain.

A variant of this is when the users have a digital certificate that includes information about the domain they're in, then you can use the certificate to automatically map them to the correct tunnel-group.

hth

Herbert

Re: Configuring LDAP authentication in multi-domain environment

abidgorsi — Mon, 16 May 2011 12:42:11 GMT

Hi Herbert,

Thanks for your reply,

Well, I am pointing to Global Catalogur Server but can't enter domain/username format.

It accepts credentials by default for the doamin Alpha.com which we configure with following statements.

ldap-base-dn dc=alpha, dc=com

ldap-scope subtree

Now if I remove above statements then I can't even authenticate ( with or without domain/ name).

I also tried to authenticate using NTP protocol and auhorize via LDAP by mentioning:

tunnel-group EXAMPLE_VPN general-attributes

authentication-server-group NTP-SERVER

authorization-server-group LDAP-SERVER

But this way, authorization phase never triggers and user gets connected even if he doesn't have "DIAL-IN" permission in active directory.

Abid

Re: Configuring LDAP authentication in multi-domain environment

Herbert Baerten — Tue, 17 May 2011 10:34:40 GMT

Hi Abid,

did you try logging on as "username@domain" as I mentioned, instead of "domain\username" ?

I'm not sure what you mean with NTP - usually this refers to Network Time Protocol (protocol used to synchronize clocks on networked devices) so not an authentication protocol.

In any case, if this NTP auth is working, then after successful authentication it should do the LDAP authorization - are you sure that it is not doing an LDAP lookup, or are you assuming that because the user can connect even without dial-in permission?

To restrict access to users with dial-in permission, you need to use either DAP or an LDAP attribute-map, see e.g.

hth

Herbert