cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

745
Views
0
Helpful
2
Replies
Highlighted
Beginner

LDAP operational attributes match in ASA 5510 during authorisation

Hi,

we're using openldap for authorising our user to connect to the webvpn via our ASA.
We'd like to rely on operational attributes to do some DAP matching. This is an example of how a user record looks in our LDAP tree:


# extended LDIF

#

# LDAPv3

# filter: cn=exampleuser

# requesting: +

#

# exampleuser, People, services.mycompany.com

dn: cn=exampleuser,ou=People,dc=services,dc=mycompany,dc=com

memberOf: cn=gli,ou=groups,dc=services,dc=mycompany,dc=com

entryDN: cn=exampleuser,ou=People,dc=services,dc=mycompany,dc=com

# search result

search: 5

result: 0 Success

# numResponses: 2

# numEntries: 1


As you can see we're using the operational attribute "memberOf" which is not visible unless you append a plus to the ldap search.

The issue: the attribute checking is ignored despite having setup a conditional match against the ldap.memberOf attribute in the ASDM DAP editor. The query is visible in the openldap logs:

lapd[809]: conn=949872 op=2 SRCH base="dc=services,dc=mycompany,dc=com" scope=2 deref=3 filter="(cn=exampleuser)"

Are LDAP operational attributes supported at all by the Cisco ASA?

Thanks!

Everyone's tags (3)
2 REPLIES 2
Beginner

LDAP operational attributes match in ASA 5510 during authorisati

Specify a Dynamic Access Profile with:

Criteria: User has ALL of the following AAA attribute values...

ldap.memberOf != GroupName

cisco.tunnelgroup = TunnelGruopName

Should work

/K

Beginner

LDAP operational attributes match in ASA 5510 during authorisati

Hi Kenneth,

thanks for the input but It's not possible for me to do that kind of matching. I have other daps in place, therefore I need an explicit match against that operational attribute.