My Ldap mapping is not working, it allows all AD users through

emadubuko · ‎03-01-2013

I've configure Ldap authentication on ASA 5545 to allow only a certain user group. I mapped the the memberOf group but this seems not to be working as it allows all AD users.

ldap attribute-map LDAP-MAP

map-name memberOf Group-Policy

map-value memberOf CN=S-ANYCONNECT-UK,OU=SECURITY,OU=GROUPS,DC=uba,DC=sroot,DC=net GroupPolicy_Skynet-UK

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host 10.44.10.25

ldap-base-dn DC=uba,DC=sroot,DC=net

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=[SERVICE]anyconnect,OU=SERVICE,OU=BRIDGE,OU=TD,DC=uba,DC=sroot,DC=net

=net

server-type microsoft

ldap-attribute-map LDAP-MAP

authentication-server-group LDAP

authentication-server-group (inside) LDAP

authorization-server-group LDAP

default-group-policy GroupPolicy_Skynet-UK

when I run the debug I noticed it check every group it passes through every group;

[2423] instanceType: value = 4

[2423] whenCreated: value = 20121019141245.0Z

[2423] whenChanged: value = 20130223133026.0Z

[2423] uSNCreated: value = 24557257

[2423] memberOf: value = CN=S-ANYCONNECT-UK,OU=SECURITY,OU=GROUPS,DC=uba,DC=sroot,DC=net

[2423] mapped to Group-Policy: value = GroupPolicy_Skynet-UK

[2423] mapped to LDAP-Class: value = GroupPolicy_Skynet-UK

[2423] memberOf: value = CN=S-SPM-ENABLE,OU=SECURITY,OU=GROUPS,DC=uba,DC=sroot,DC=net

[2423] mapped to Group-Policy: value = CN=S-SPM-ENABLE,OU=SECURITY,OU=GROUPS,DC=ukbu,DC=ukro

ot,DC=net

[2423] mapped to LDAP-Class: value = CN=S-SPM-ENABLE,OU=SECURITY,OU=GROUPS,DC=uba,DC=sroot,DC=net

[2423] memberOf: value = CN=S-MBX-ITSD-IT.REMOTESUPPORT,OU=SECURITY,OU=GROUPS,DC=uba,DC=sroot,DC=net

[2423] mapped to Group-Policy: value = CN=S-MBX-ITSD-IT.REMOTESUPPORT,OU=SECURITY,OU=GROUPS,

DC=uba,DC=sroot,DC=net

[2423] mapped to LDAP-Class: value = CN=S-MBX-ITSD-IT.REMOTESUPPORT,OU=SECURITY,OU=GROUPS,DC=uba,DC=sroot,DC=net

[2423] memberOf: value = CN=DL-ITSD-SD-SUPPORTTEAM,OU=DISTRIBUTIONLISTS,OU=GROUPS,DC=uba,DC=sroot,DC=net

[2423] mapped to Group-Policy: value = CN=DL-IT-SD-SUPPORTTEAM,OU=DISTRIBUTIONLISTS,OU=GRO

UPS,DC=uba,DC=sroot,DC=net

[2423] mapped to LDAP-Class: value = CN=DL-ITSD-SD-SUPPORTTEAM,OU=DISTRIBUTIONLISTS,OU=GROUP

S,DC=uba,DC=sroot,DC=net

it just goes on and on. can anyone help

Scottymay · ‎03-22-2013

I noticed this and I am having the same issue. my AD looks almost the same as yours. did you find an answer? I have not yet.