cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Why the ldap-attribute-map just can match the first group

400
Views
0
Helpful
0
Comments

HI , i have a follow issue . when i use the ldap-attribute-map match the group in AD to the group-policy in ASA, i found the user which belongs two group just can match the first group in AD. How can i match the group-policy to the second group ,third group ??? Thx.

Below is my show version information .

asa# sh version

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(3)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"

Unsuccessful log

asa#
[7] Session Start
[7] New request Session, context 0xccd0c7d8, reqType = Authentication
[7] Fiber started
[7] Creating LDAP context with uri=ldap://192.168.11.139:389
[7] Connect to LDAP server: ldap://192.168.11.139:389, status = Successful
[7] supportedLDAPVersion: value = 3
[7] supportedLDAPVersion: value = 2
[7] Binding as Administrator
[7] Performing Simple authentication for Administrator to 192.168.11.139
[7] LDAP Search:
        Base DN = [DC=qykwok,DC=com]
        Filter  = [sAMAccountName=macroview]
        Scope   = [SUBTREE]
[7] User DN = [CN=macroview,CN=Users,DC=qykwok,DC=com]
[7] Talking to Active Directory server 192.168.11.139
[7] Reading password policy for macroview, dn:CN=macroview,CN=Users,DC=qykwok,DC=com
[7] Read bad password count 0
[7] Binding as macroview
[7] Performing Simple authentication for macroview to 192.168.11.139
[7] Processing LDAP response for user macroview
[7] Message (macroview):
[7] Authentication successful for macroview to 192.168.11.139
[7] Retrieved User Attributes:
[7]     objectClass: value = top
[7]     objectClass: value = person
[7]     objectClass: value = organizationalPerson
[7]     objectClass: value = user
[7]     cn: value = macroview
[7]     distinguishedName: value = CN=macroview,CN=Users,DC=qykwok,DC=com
[7]     instanceType: value = 4
[7]     whenCreated: value = 20100301093235.0Z
[7]     whenChanged: value = 20100301093235.0Z
[7]     displayName: value = macroview
[7]     uSNCreated: value = 13910
[7]     memberOf: value = CN=admin,CN=Users,DC=qykwok,DC=com
[7]             mapped to Group-Policy: value = CN=admin,CN=Users,DC=qykwok,DC=com
[7]             mapped to LDAP-Class: value = CN=admin,CN=Users,DC=qykwok,DC=com
[7]     memberOf: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[7]             mapped to Group-Policy: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[7]             mapped to LDAP-Class: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[7]     memberOf: value = CN=Engineer,CN=Users,DC=qykwok,DC=com
[7]             mapped to Group-Policy: value = noaccess
[7]             mapped to LDAP-Class: value = noaccess
[7]     uSNChanged: value = 13916
[7]     name: value = macroview
[7]     objectGUID: value = .._..Q'G.Q.4..]&
[7]     userAccountControl: value = 66048
[7]     badPwdCount: value = 0
[7]     codePage: value = 0
[7]     countryCode: value = 0
[7]     badPasswordTime: value = 0
[7]     lastLogoff: value = 0
[7]     lastLogon: value = 0
[7]     pwdLastSet: value = 129119095553281250
[7]     primaryGroupID: value = 513
[7]     objectSid: value = ..............u....41.9.X...
[7]     accountExpires: value = 9223372036854775807
[7]     logonCount: value = 0
[7]     sAMAccountName: value = macroview
[7]     sAMAccountType: value = 805306368
[7]     userPrincipalName: value = macroview@qykwok.com
[7]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=qykwok,DC=com
[7] Fiber exit Tx=535 bytes Rx=2359 bytes, status=1
[7] Session End

asa#
asa#
asa#

Successful log

asa#
[10] Session Start
[10] New request Session, context 0xccd0c7d8, reqType = Authentication
[10] Fiber started
[10] Creating LDAP context with uri=ldap://192.168.11.139:389
[10] Connect to LDAP server: ldap://192.168.11.139:389, status = Successful
[10] supportedLDAPVersion: value = 3
[10] supportedLDAPVersion: value = 2
[10] Binding as Administrator
[10] Performing Simple authentication for Administrator to 192.168.11.139
[10] LDAP Search:
        Base DN = [DC=qykwok,DC=com]
        Filter  = [sAMAccountName=monica]
        Scope   = [SUBTREE]
[10] User DN = [CN=monica,CN=Users,DC=qykwok,DC=com]
[10] Talking to Active Directory server 192.168.11.139
[10] Reading password policy for monica, dn:CN=monica,CN=Users,DC=qykwok,DC=com
[10] Read bad password count 1
[10] Binding as monica
[10] Performing Simple authentication for monica to 192.168.11.139
[10] Processing LDAP response for user monica
[10] Message (monica):
[10] Authentication successful for monica to 192.168.11.139
[10] Retrieved User Attributes:
[10]    objectClass: value = top
[10]    objectClass: value = person
[10]    objectClass: value = organizationalPerson
[10]    objectClass: value = user
[10]    cn: value = monica
[10]    distinguishedName: value = CN=monica,CN=Users,DC=qykwok,DC=com
[10]    instanceType: value = 4
[10]    whenCreated: value = 20100301093211.0Z
[10]    whenChanged: value = 20100301124310.0Z
[10]    displayName: value = monica
[10]    uSNCreated: value = 13902
[10]    memberOf: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[10]            mapped to Group-Policy: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[10]            mapped to LDAP-Class: value = CN=Sales,CN=Users,DC=qykwok,DC=com
[10]    uSNChanged: value = 16398
[10]    name: value = monica
[10]    objectGUID: value = .0.}..K@.vSs./@.
[10]    userAccountControl: value = 66048
[10]    badPwdCount: value = 1
[10]    codePage: value = 0
[10]    countryCode: value = 0
[10]    badPasswordTime: value = 129123210177656250
[10]    lastLogoff: value = 0
[10]    lastLogon: value = 129123202953125000
[10]    pwdLastSet: value = 129119200735625000
[10]    primaryGroupID: value = 513
[10]    userParameters: value = m:                    d.                       
[10]    objectSid: value = ..............u....41.9.W...
[10]    accountExpires: value = 9223372036854775807
[10]    logonCount: value = 0
[10]    sAMAccountName: value = monica
[10]    sAMAccountType: value = 805306368
[10]    userPrincipalName: value = monica@qykwok.com
[10]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=qykwok,DC=com
[10]    msNPAllowDialin: value = FALSE
[10] Fiber exit Tx=526 bytes Rx=2408 bytes, status=1
[10] Session End

Content for Community-Ad