ACS 5.1 with LDAP

hany_ibrahim — Mon, 11 Mar 2019 00:35:56 GMT

i want the configuration steps that integrate ACS with LDAP , and i want to match the attributes of specific domain user "like sAMAccount" , and apply access control policy on this specific LDAP username .

Re: ACS 5.1 with LDAP

Federico Lovison — Thu, 25 Nov 2010 15:51:47 GMT

Hi Hany Ibrahim,

AD used as an LDAP ID store is not different than any other LDAP servers.

There are just few points to consider which are specific to the AD LDAP impementation:

- Server port: you can use the standard port TCP/389 or TCP/3268 that is the Global Catalog

- Subject Objectclass: Person

- Subject Name Attribute: samAccountName

- Group Objectclass: Group

- Group Map Attribute: this depends on the config for the "Subject Objects Contain Reference To Groups" vs. "Group Objects Contain Reference To Subjects":

* Subject Objects Contain Reference To Groups => Group Map Attribute: memberOf

* Group Objects Contain Reference To Subjects => Group Map Attribute: member

In this case, make sure that the " Subjects In Groups Are Stored In Member Attribute As" => Distinguished Name

In general the LDAP config on ACS 5.1 is covered here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1138165

If you then want to map additional attributes, you have to add them on the "Directory Attributes" page of the ACS for the LDAP instance:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1166571

These attributes can be retrieved from the Authorization policy picking those attributes from the dictionary that is defined by ACS for the specific LDAP instance.

For example, if you have an attribute "Country" on the LDAP instance that you called "MyLDAPServer", then you will have a dictionary called "MyLDAPServer", and you will be able to add the attribute in the form "MyLDAPServer:Country" to the condition list.

You can find more about managing policies at:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html

I hope this answers your questions even though it may be a bit generic.

Indeed, LDAP is a very flexible ID Store, but you do have to know what the LDAP structure looks like and what attributes you need to check for.

Then, if this is clear, the ACS configuration guide should be detailed enough to allow you to translate your requirements into the ACS config.

Thank you!

Regards,

Federico

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

topic Re: ACS 5.1 with LDAP in Network Access Control

ACS 5.1 with LDAP

Re: ACS 5.1 with LDAP