Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
2
Replies

LDAP memberOf maps OK first login attempt, but not on later ones

desmith
Level 1
Level 1

‎09-27-2012 11:37 AM - edited ‎03-10-2019 07:36 PM

Hello! 

I'm seeing a very weird problem:  I'm trying to use LDAP memberOf values to map users at login into different ASA groups, with different policies.

This mapping works on the first login, but not thereafter (until/unless a break of many hours occurs, and then it works on the first login *again*).

Excerpt from "debug ldap 255":

First attempt:

[11258]         memberOf: value = CN=Split-tunnel,CN=Users,DC=ldproducts,DC=local

[11258]                 mapped to IETF-Radius-Class: value = Split-Tunnel-Group

[11258]         uSNChanged: value = 6995298

Second, third, etc. attempts:

[11261]         memberOf: value = CN=Split-tunnel,CN=Users,DC=ldproducts,DC=local

[11261]         uSNChanged: value = 7127750

Hmmm...very odd. 

Any suggestions would be greatly appreciated!

Deb

Labels:
0 Helpful
2 Replies 2

desmith
Level 1
Level 1

‎09-27-2012 11:57 AM

I neglected to mention that the configuration in question is on an ASA 5520 active/standby pair, running 8.2.1.

0 Helpful

jim
Level 1
Level 1
In response to desmith

‎09-30-2012 02:00 AM

I am certainly not Cisco expert, but from a LDAP perspective, I do not think the memberOf attribute will be reliable.

memberOf is an operationanal, (ie not user updatable), server side set recirpical value of the member Attribute from the group entry.

So when a user is added to a group which by adding the DN of the user to the Group's Member attribute, the USN of the Group changes.

However, the USN of the user does NOT change.

In addtion, no nested group entries would ever be represented within the memberOf attribute.

To accurateley determine which groups the user is a member of you should use a query for all groups similer to:

(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))

-jim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents