cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1066
Views
0
Helpful
2
Replies

LDAP operational attributes match in ASA 5510 during authorisation

Nicola Volpini
Level 1
Level 1

Hi,

we're using openldap for authorising our user to connect to the webvpn via our ASA.
We'd like to rely on operational attributes to do some DAP matching. This is an example of how a user record looks in our LDAP tree:


# extended LDIF

#

# LDAPv3

# filter: cn=exampleuser

# requesting: +

#

# exampleuser, People, services.mycompany.com

dn: cn=exampleuser,ou=People,dc=services,dc=mycompany,dc=com

memberOf: cn=gli,ou=groups,dc=services,dc=mycompany,dc=com

entryDN: cn=exampleuser,ou=People,dc=services,dc=mycompany,dc=com

# search result

search: 5

result: 0 Success

# numResponses: 2

# numEntries: 1


As you can see we're using the operational attribute "memberOf" which is not visible unless you append a plus to the ldap search.

The issue: the attribute checking is ignored despite having setup a conditional match against the ldap.memberOf attribute in the ASDM DAP editor. The query is visible in the openldap logs:

lapd[809]: conn=949872 op=2 SRCH base="dc=services,dc=mycompany,dc=com" scope=2 deref=3 filter="(cn=exampleuser)"

Are LDAP operational attributes supported at all by the Cisco ASA?

Thanks!

2 Replies 2

kennethgrande
Level 1
Level 1

Specify a Dynamic Access Profile with:

Criteria: User has ALL of the following AAA attribute values...

ldap.memberOf != GroupName

cisco.tunnelgroup = TunnelGruopName

Should work

/K

Hi Kenneth,

thanks for the input but It's not possible for me to do that kind of matching. I have other daps in place, therefore I need an explicit match against that operational attribute.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: