03-06-2010 04:47 AM - edited 03-08-2019 06:32 PM
HI , i have a follow issue . when i use the ldap-attribute-map match the group in AD to the group-policy in ASA, i found the user which belongs two group just can match the first group in AD. How can i match the group-policy to the second group ,third group ??? Thx.
Below is my show version information .
asa# sh version
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(3)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Unsuccessful log
asa#
[7] Session Start
[7] New request Session, context 0xccd0c7d8, reqType = Authentication
[7] Fiber started
[7] Creating LDAP context with uri=ldap://192.168.11.139:389
[7] Connect to LDAP server: ldap://192.168.11.139:389, status = Successful
[7] supportedLDAPVersion: value = 3
[7] supportedLDAPVersion: value = 2
[7] Binding as Administrator
[7] Performing Simple authentication for Administrator to 192.168.11.139
[7] LDAP Search:
Base DN = [DC=qykwok,DC=com]
Filter = [sAMAccountName=macroview]
Scope = [SUBTREE]
[7] User DN = [CN=macroview,CN=Users,DC=qykwok,DC=com]
[7] Talking to Active Directory server 192.168.11.139
[7] Reading password policy for macroview, dn:CN=macroview,CN=Users,DC=qykwok,DC=com
[7] Read bad password count 0
[7] Binding as macroview
[7] Performing Simple authentication for macroview to 192.168.11.139
[7] Processing LDAP response for user macroview
[7] Message (macroview):
[7] Authentication successful for macroview to 192.168.11.139
[7] Retrieved User Attributes:
[7] objectClass: value = top
[7] objectClass: value = person
[7] objectClass: value = organizationalPerson
[7] objectClass: value = user
[7] cn: value = macroview
[7] distinguishedName: value = CN=macroview,CN=Users,DC=qykwok,DC=com
[7] instanceType: value = 4
[7] whenCreated: value = 20100301093235.0Z
[7] whenChanged: value = 20100301093235.0Z
[7] displayName: value = macroview
[7] uSNCreated: value = 13910
[7] memberOf: value = CN=admin,CN=Users,DC=qykwok,DC=com
[7] mapped to Group-Policy: value = CN=admin,CN=Users,DC=qykwok,DC=com
[7] mapped to LDAP-Class: value = CN=admin,CN=Users,DC=qykwok,DC=com
[7] memberOf: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[7] mapped to Group-Policy: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[7] mapped to LDAP-Class: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[7] memberOf: value = CN=Engineer,CN=Users,DC=qykwok,DC=com
[7] mapped to Group-Policy: value = noaccess
[7] mapped to LDAP-Class: value = noaccess
[7] uSNChanged: value = 13916
[7] name: value = macroview
[7] objectGUID: value = .._..Q'G.Q.4..]&
[7] userAccountControl: value = 66048
[7] badPwdCount: value = 0
[7] codePage: value = 0
[7] countryCode: value = 0
[7] badPasswordTime: value = 0
[7] lastLogoff: value = 0
[7] lastLogon: value = 0
[7] pwdLastSet: value = 129119095553281250
[7] primaryGroupID: value = 513
[7] objectSid: value = ..............u....41.9.X...
[7] accountExpires: value = 9223372036854775807
[7] logonCount: value = 0
[7] sAMAccountName: value = macroview
[7] sAMAccountType: value = 805306368
[7] userPrincipalName: value = macroview@qykwok.com
[7] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=qykwok,DC=com
[7] Fiber exit Tx=535 bytes Rx=2359 bytes, status=1
[7] Session End
asa#
asa#
asa#
Successful log
asa#
[10] Session Start
[10] New request Session, context 0xccd0c7d8, reqType = Authentication
[10] Fiber started
[10] Creating LDAP context with uri=ldap://192.168.11.139:389
[10] Connect to LDAP server: ldap://192.168.11.139:389, status = Successful
[10] supportedLDAPVersion: value = 3
[10] supportedLDAPVersion: value = 2
[10] Binding as Administrator
[10] Performing Simple authentication for Administrator to 192.168.11.139
[10] LDAP Search:
Base DN = [DC=qykwok,DC=com]
Filter = [sAMAccountName=monica]
Scope = [SUBTREE]
[10] User DN = [CN=monica,CN=Users,DC=qykwok,DC=com]
[10] Talking to Active Directory server 192.168.11.139
[10] Reading password policy for monica, dn:CN=monica,CN=Users,DC=qykwok,DC=com
[10] Read bad password count 1
[10] Binding as monica
[10] Performing Simple authentication for monica to 192.168.11.139
[10] Processing LDAP response for user monica
[10] Message (monica):
[10] Authentication successful for monica to 192.168.11.139
[10] Retrieved User Attributes:
[10] objectClass: value = top
[10] objectClass: value = person
[10] objectClass: value = organizationalPerson
[10] objectClass: value = user
[10] cn: value = monica
[10] distinguishedName: value = CN=monica,CN=Users,DC=qykwok,DC=com
[10] instanceType: value = 4
[10] whenCreated: value = 20100301093211.0Z
[10] whenChanged: value = 20100301124310.0Z
[10] displayName: value = monica
[10] uSNCreated: value = 13902
[10] memberOf: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[10] mapped to Group-Policy: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[10] mapped to LDAP-Class: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[10] uSNChanged: value = 16398
[10] name: value = monica
[10] objectGUID: value = .0.}..K@.vSs./@.
[10] userAccountControl: value = 66048
[10] badPwdCount: value = 1
[10] codePage: value = 0
[10] countryCode: value = 0
[10] badPasswordTime: value = 129123210177656250
[10] lastLogoff: value = 0
[10] lastLogon: value = 129123202953125000
[10] pwdLastSet: value = 129119200735625000
[10] primaryGroupID: value = 513
[10] userParameters: value = m: d.
[10] objectSid: value = ..............u....41.9.W...
[10] accountExpires: value = 9223372036854775807
[10] logonCount: value = 0
[10] sAMAccountName: value = monica
[10] sAMAccountType: value = 805306368
[10] userPrincipalName: value = monica@qykwok.com
[10] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=qykwok,DC=com
[10] msNPAllowDialin: value = FALSE
[10] Fiber exit Tx=526 bytes Rx=2408 bytes, status=1
[10] Session End
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: