LDAP memberOf maps OK first login attempt, but not on later ones

desmith · ‎09-27-2012

Hello!

I'm seeing a very weird problem: I'm trying to use LDAP memberOf values to map users at login into different ASA groups, with different policies.

This mapping works on the first login, but not thereafter (until/unless a break of many hours occurs, and then it works on the first login *again*).

Excerpt from "debug ldap 255":

First attempt:

[11258] memberOf: value = CN=Split-tunnel,CN=Users,DC=ldproducts,DC=local

[11258] mapped to IETF-Radius-Class: value = Split-Tunnel-Group

[11258] uSNChanged: value = 6995298

Second, third, etc. attempts:

[11261] memberOf: value = CN=Split-tunnel,CN=Users,DC=ldproducts,DC=local

[11261] uSNChanged: value = 7127750

Hmmm...very odd.

Any suggestions would be greatly appreciated!

Deb

desmith · ‎09-27-2012

I neglected to mention that the configuration in question is on an ASA 5520 active/standby pair, running 8.2.1.

jim · ‎09-30-2012

I am certainly not Cisco expert, but from a LDAP perspective, I do not think the memberOf attribute will be reliable.

memberOf is an operationanal, (ie not user updatable), server side set recirpical value of the member Attribute from the group entry.

So when a user is added to a group which by adding the DN of the user to the Group's Member attribute, the USN of the Group changes.

However, the USN of the user does NOT change.

In addtion, no nested group entries would ever be represented within the memberOf attribute.

To accurateley determine which groups the user is a member of you should use a query for all groups similer to:

(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))

-jim