Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2855
Views
0
Helpful
3
Replies

Configuring LDAP authentication in multi-domain environment

abidgorsi
Level 1
Level 1

‎05-04-2011 03:25 AM - edited ‎03-10-2019 06:03 PM

Hi,

I am trying to authenticate Remote VPN users via LDAP and integrate this with "Dial-in" Permission attribute of user account. It works fine for a single domain with the following conifguration.

aaa-server ldap-server (Inside) host 10.10.10.1

ldap-base-dn dc=Alpha, dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=-svc, ou=admin, dc=Alpha, dc=com

server-type microsoft

Now, this configuration requires only username/password and I can't mention domain along with. So if I wish to implement this in a multiple-domain scenario ( alpha.com, beta.com and gemma.com etc) It's not gonna work.

Please let me know if you got an idea.

If some of you could fetch the list of values we can give to "ldap-naming-attribute", I guess there could be something in there.

Cheers,

Labels:
0 Helpful
3 Replies 3

Herbert Baerten
Cisco Employee
Cisco Employee

‎05-12-2011 10:59 PM

Hi,

this will only work if you have a Global Catalog  Server (GCS) - in that case, the user can enter "username@domain" in  the username field.

cfr. http://technet.microsoft.com/en-us/library/cc977998.aspx

One downside of this method is that a GCS does not allow password change operations through LDAP.

Alternatively  you could create a tunnel-group per domain, each using a different LDAP  server, and instruct the users to connect to the tunnel-group  corresponding to their domain.

A variant of this is when the users  have a digital certificate that includes information about the domain  they're in, then you can use the certificate to automatically map them  to the correct tunnel-group.

hth

Herbert

0 Helpful

abidgorsi
Level 1
Level 1
In response to Herbert Baerten

‎05-16-2011 05:42 AM

Hi Herbert,

Thanks for your reply,

Well, I am pointing to Global Catalogur Server but can't enter domain/username format.

It accepts credentials by default for the doamin Alpha.com which we configure with following statements.

ldap-base-dn dc=alpha, dc=com

ldap-scope subtree

Now if I remove above statements then I can't even authenticate ( with or without domain/   name).

I also tried to authenticate using NTP protocol and auhorize via LDAP by mentioning:

tunnel-group EXAMPLE_VPN general-attributes

authentication-server-group NTP-SERVER

authorization-server-group LDAP-SERVER

But this way, authorization phase never triggers and user gets connected even if he doesn't have "DIAL-IN" permission in active directory.

Abid

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to abidgorsi

‎05-17-2011 03:34 AM

Hi Abid,

did you try logging on as "username@domain" as I mentioned, instead of "domain\username" ?

I'm not sure what you mean with NTP - usually this refers to Network Time Protocol (protocol used to synchronize clocks on networked devices) so not an authentication protocol.


In any case, if this NTP auth is working, then after successful authentication it should do the LDAP authorization - are you sure that it is not doing an LDAP lookup, or are you assuming that because the user can connect even without dial-in permission?

To restrict access to users with dial-in permission, you need to use either DAP or an LDAP attribute-map, see e.g.

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents