topic LDAP Authentification and group membership in Network Security

LDAP Authentification and group membership

Jean-Francois Gagnon — Tue, 12 Mar 2019 01:48:38 GMT

Hi!

I'm trying to make this work. My LDAP authentification works ok, but I want it to test if the user is a member of a specific group or not. Well, if I test with any user, it says Successful wheter the user is a member of the group or not. And I want it to failed if the user is not a member of the group. I am using ASDM and test in the AAA Server Groups with the Test button and authentification test

Thanks for your help!

ldap attribute-map CISCOMAP

map-name memberOf IETF-Radius-Service-Type

map-value memberOf CN=ITVPN,CN=users,OU=Domain,DC=local 6

aaa-server LDAP protocol ldap

aaa-server LDAP (Inside) host 10.1.1.1

ldap-base-dn OU=MyOU,dc=Domain,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password Something

ldap-login-dn CN=UserAdmin,OU=Service,OU=MyOU,DC=Domain,DC=local

server-type microsoft

ldap-attribute-map CISCOMAP

LDAP Authentification and group membership

Favaloro. — Tue, 28 May 2013 19:04:44 GMT

Are we sure that when we run the tests, there's no paremeter that applies for the same users and puts them all in the same group?

Have you tried this with a real user trying to authenticate?

Do you get any useful logs from the server?

LDAP Authentification and group membership

pf — Tue, 26 Nov 2013 23:44:12 GMT

What thype of ldap server are you using? Microsoft Windows 2012 or 2008. I got a problem with 2012 not give the groups back with some users.

Same problem as

https://supportforums.cisco.com/message/3866327#3866327

debug ldap 255

shows correct value with one user that is workin:

[196] Authentication successful for Administrator to 192.168.20.80

[196] Retrieved User Attributes:

[196] objectClass: value = top

[196] objectClass: value = person

[196] objectClass: value = organizationalPerson

[196] objectClass: value = user

[196] cn: value = Administrator

[196] description: value = Vordefiniertes Konto f..r die Verwaltung des Computers bzw. der Dom..ne

[196] distinguishedName: value = CN=Administrator,CN=Users,DC=xxxx,DC=local

[196] instanceType: value = 4

[196] whenCreated: value = 20081201134058.0Z

[196] whenChanged: value = 20131126141559.0Z

[196] displayName: value = Administrator

[196] uSNCreated: value = 12298

[196] memberOf: value = CN=G_SSLVPN,OU=Service,OU=Groups,OU=XXXXX,DC=XXXX,DC=local

[196] mapped to Group-Policy: value = ssl_admin

[196] mapped to LDAP-Class: value = ssl_admin

One user that is not working:

no entries with memberOf in debug

[190] Authentication successful for sdag to 192.168.20.80

[190] Retrieved User Attributes:

[190] objectClass: value = top

[190] objectClass: value = person

[190] objectClass: value = organizationalPerson

[190] objectClass: value = user

[190] cn: value = sdag

[190] distinguishedName: value = CN=sdag,OU=Lieferanten,OU=Users,OU=xxxx,DC=xxxxxx,DC=local

[190] displayName: value = sdag

[190] homeMTA: value = CN=Microsoft MTA,CN=SRVSBS01,CN=Servers,CN=erste administrative gruppe,CN=Admini

[190] proxyAddresses: value = smtp:sdag@xxxx

[190] proxyAddresses: value = SMTP:sdag@xxxxx