09-27-2012 11:37 AM - edited 03-10-2019 07:36 PM
Hello!
I'm seeing a very weird problem: I'm trying to use LDAP memberOf values to map users at login into different ASA groups, with different policies.
This mapping works on the first login, but not thereafter (until/unless a break of many hours occurs, and then it works on the first login *again*).
Excerpt from "debug ldap 255":
First attempt:
[11258] memberOf: value = CN=Split-tunnel,CN=Users,DC=ldproducts,DC=local
[11258] mapped to IETF-Radius-Class: value = Split-Tunnel-Group
[11258] uSNChanged: value = 6995298
Second, third, etc. attempts:
[11261] memberOf: value = CN=Split-tunnel,CN=Users,DC=ldproducts,DC=local
[11261] uSNChanged: value = 7127750
Hmmm...very odd.
Any suggestions would be greatly appreciated!
Deb
09-27-2012 11:57 AM
I neglected to mention that the configuration in question is on an ASA 5520 active/standby pair, running 8.2.1.
09-30-2012 02:00 AM
I am certainly not Cisco expert, but from a LDAP perspective, I do not think the memberOf attribute will be reliable.
memberOf is an operationanal, (ie not user updatable), server side set recirpical value of the member Attribute from the group entry.
So when a user is added to a group which by adding the DN of the user to the Group's Member attribute, the USN of the Group changes.
However, the USN of the user does NOT change.
In addtion, no nested group entries would ever be represented within the memberOf attribute.
To accurateley determine which groups the user is a member of you should use a query for all groups similer to:
(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))
-jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide