https://community.cisco.com/t5/network-security/ldap-attribute-map-not-selecting-the-correct-group-policy-lab/m-p/4098876#M1070837 <P>Thanks it worked I keep making these stupid mistakes !. Sorry for wasting your time</P> Sun, 07 Jun 2020 13:27:50 GMT Alfredcfc 2020-06-07T13:27:50Z https://community.cisco.com/t5/network-security/ldap-attribute-map-not-selecting-the-correct-group-policy-lab/m-p/4098806#M1070826 <P>Hello All,</P><P>&nbsp;</P><P>I was setting up ldap-attribute mapping for having multiple group policies within one tunnel-group. But when i test the connection it fails to select any group-policy and fails since no IP address is being assigned.</P><P>&nbsp;</P><P>The ldap-map is:</P><P>-----</P><P><STRONG>ciscoasa# sh run ldap attribute-map</STRONG><BR /><STRONG>ldap attribute-map LDAP-VPN</STRONG><BR /><STRONG>map-name memberOf Group-Policy</STRONG><BR /><STRONG>map-value memberOf CN=VPN-External,OU=VPN-Internal,DC=EVELAB,DC=COM ra-external</STRONG><BR /><STRONG>ciscoasa#</STRONG></P><P>------</P><P>&nbsp;</P><P>&nbsp;</P><P>When i took the debug output to check:"debug ldap 255"</P><P>------</P><P><STRONG>[13] memberOf: value = CN=vpn-external,OU=VPN-Internal,DC=evelab,DC=com</STRONG><BR /><STRONG>[13] mapped to Group-Policy: value = CN=vpn-external,OU=VPN-Internal,DC=evelab,DC=com</STRONG><BR /><STRONG>[13] mapped to LDAP-Class: value = CN=vpn-external,OU=VPN-Internal,DC=evelab,DC=com</STRONG></P><P><STRONG>------</STRONG></P><P>&nbsp;</P><P>The ldap map is also called in the correct ldap server</P><P>aaa-server 192.168.9.2 protocol ldap<BR />aaa-server 192.168.9.2 (outside0) host 192.168.9.2<BR />ldap-base-dn DC=EVELAB,DC=COM<BR />ldap-scope subtree<BR />ldap-naming-attribute sAMAccountName<BR />ldap-login-password *****<BR />ldap-login-dn CN=alfred sachin,OU=VPN-Internal,DC=EVELAB,DC=COM<BR />server-type microsoft<BR /><STRONG>ldap-attribute-map LDAP-VPN</STRONG></P><P>-------------</P><P>The correct group policy was not being assigned to the connection, the user-id which i used "alfred_dell" is under the correct group but the ldap mapping is not working,</P><P>&nbsp;</P><P>Kindly let me know if I am making any mistake in the configuration.</P><P>&nbsp;</P> Sun, 07 Jun 2020 08:14:04 GMT https://community.cisco.com/t5/network-security/ldap-attribute-map-not-selecting-the-correct-group-policy-lab/m-p/4098806#M1070826 Alfredcfc 2020-06-07T08:14:04Z https://community.cisco.com/t5/network-security/ldap-attribute-map-not-selecting-the-correct-group-policy-lab/m-p/4098812#M1070827 <P>Hi,</P> <P>Check the case of your Group, as attribute values are case sensitive. You've defined your group in the LDAP map as <STRONG>VPN-External</STRONG>, however the debug determines the group as <STRONG>vpn-external.</STRONG> Amend your LDAP map.</P> <P>&nbsp;</P> <P><STRONG>map-value memberOf CN=VPN-External,OU=VPN-Internal,DC=EVELAB,DC=COM ra-external</STRONG></P> <P>&nbsp;</P> <P><STRONG>[13] memberOf: value = CN=vpn-external,OU=VPN-Internal,DC=evelab,DC=com</STRONG></P> <P>&nbsp;</P> <P>HTH</P> Sun, 07 Jun 2020 09:09:27 GMT https://community.cisco.com/t5/network-security/ldap-attribute-map-not-selecting-the-correct-group-policy-lab/m-p/4098812#M1070827 Rob Ingram 2020-06-07T09:09:27Z https://community.cisco.com/t5/network-security/ldap-attribute-map-not-selecting-the-correct-group-policy-lab/m-p/4098876#M1070837 <P>Thanks it worked I keep making these stupid mistakes !. Sorry for wasting your time</P> Sun, 07 Jun 2020 13:27:50 GMT https://community.cisco.com/t5/network-security/ldap-attribute-map-not-selecting-the-correct-group-policy-lab/m-p/4098876#M1070837 Alfredcfc 2020-06-07T13:27:50Z