we're using openldap for authorising our user to connect to the webvpn via our ASA.
We'd like to rely on operational attributes to do some DAP matching. This is an example of how a user record looks in our LDAP tree:
# extended LDIF
# filter: cn=exampleuser
# requesting: +
# exampleuser, People, services.mycompany.com
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
As you can see we're using the operational attribute "memberOf" which is not visible unless you append a plus to the ldap search.
The issue: the attribute checking is ignored despite having setup a conditional match against the ldap.memberOf attribute in the ASDM DAP editor. The query is visible in the openldap logs:
lapd: conn=949872 op=2 SRCH base="dc=services,dc=mycompany,dc=com" scope=2 deref=3 filter="(cn=exampleuser)"
Are LDAP operational attributes supported at all by the Cisco ASA?
Specify a Dynamic Access Profile with:
Criteria: User has ALL of the following AAA attribute values...
ldap.memberOf != GroupName
cisco.tunnelgroup = TunnelGruopName
thanks for the input but It's not possible for me to do that kind of matching. I have other daps in place, therefore I need an explicit match against that operational attribute.