cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3341
Views
5
Helpful
5
Replies
Highlighted
Beginner

Another LDAP Authentication Failure

I am attempting to setup LDAP authentication for my ASA, along with the AD Agent.  Currently my authentication is failing with the following output from debug...

[-2147483610] Session Start

[-2147483610] New request Session, context 0xcc854d8c, reqType = Authentication

[-2147483610] Fiber started

[-2147483610] Creating LDAP context with uri=ldap://10.11.1.15:389

[-2147483610] Connect to LDAP server:

ldap://10.11.1.15:389

, status = Successful

[-2147483610] supportedLDAPVersion: value = 3

[-2147483610] supportedLDAPVersion: value = 2

[-2147483610] Binding as Sargent\

[-2147483610] Performing Simple authentication for Sargent\ to 10.11.1.15

[-2147483610] LDAP Search:

        Base DN = [DC=city,DC=charlottesville,DC=org]

        Filter  = [sAMAccount=sargentm]

        Scope   = [SUBTREE]

[-2147483610] Search result parsing returned failure status

[-2147483610] Fiber exit Tx=308 bytes Rx=677 bytes, status=-1

[-2147483610] Session End

ERROR: Authentication Rejected: Unspecified

I can however perform successful queries to AD etc. using the following commands.

show user-identity ad-users city.charlottesville.org filter sargentm

Ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Replace the below listed command inside the server parameters:

ldap-naming-attribute sAMAccount

With

ldap-naming-attribute sAMAccountName

Note: the sAMAccountName is incorrectly configured.

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

could you please attach the output of show run aaa-server.

Also, it would be worth to see at server > event viewer logs about the reject reason.

Jatin Katyal


- Do rate helpful posts -

~Jatin
Highlighted

aaa-server CityDC protocol ldap

aaa-server CityDC (outside) host citydc01.city.charlottesville.org

server-port 389

ldap-base-dn DC=charlottesville,DC=org

ldap-group-base-dn DC=city,DC=charlottesville,DC=org

ldap-scope subtree

ldap-naming-attribute sAMAccount

ldap-login-password *****

ldap-login-dn CN=Administrator,CN=Users,DC=city,DC=charlottesville,DC=org

server-type microsoft

aaa-server CityDC (outside) host citydc1.city.charlottesville.org

server-port 389

ldap-base-dn DC=charlottesville,DC=org

ldap-group-base-dn DC=city,DC=charlottesville,DC=org

ldap-scope subtree

ldap-naming-attribute sAMAccount

ldap-login-password *****

ldap-login-dn CN=Administrator,CN=Users,DC=city,DC=charlottesville,DC=org

server-type microsoft

aaa-server CityAgent protocol radius

ad-agent-mode

aaa-server CityAgent (outside) host 10.11.1.203

key *****

Highlighted

Replace the below listed command inside the server parameters:

ldap-naming-attribute sAMAccount

With

ldap-naming-attribute sAMAccountName

Note: the sAMAccountName is incorrectly configured.

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

Highlighted

THanks...I figured it was something simple I was overlooking.  That was the problem.

Highlighted

It's LDAP so it's expected

Jatin Katyal


- Do rate helpful posts -

~Jatin