01-14-2013 06:39 AM
Hi,
we're using openldap for authorising our user to connect to the webvpn via our ASA.
We'd like to rely on operational attributes to do some DAP matching. This is an example of how a user record looks in our LDAP tree:
# extended LDIF#
# LDAPv3
# filter: cn=exampleuser
# requesting: +
#
# exampleuser, People, services.mycompany.com
dn: cn=exampleuser,ou=People,dc=services,dc=mycompany,dc=com
memberOf: cn=gli,ou=groups,dc=services,dc=mycompany,dc=com
entryDN: cn=exampleuser,ou=People,dc=services,dc=mycompany,dc=com
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
As you can see we're using the operational attribute "memberOf" which is not visible unless you append a plus to the ldap search.
The issue: the attribute checking is ignored despite having setup a conditional match against the ldap.memberOf attribute in the ASDM DAP editor. The query is visible in the openldap logs:
lapd[809]: conn=949872 op=2 SRCH base="dc=services,dc=mycompany,dc=com" scope=2 deref=3 filter="(cn=exampleuser)"
Are LDAP operational attributes supported at all by the Cisco ASA?
Thanks!
01-14-2013 02:33 PM
Specify a Dynamic Access Profile with:
Criteria: User has ALL of the following AAA attribute values...
ldap.memberOf != GroupName
cisco.tunnelgroup = TunnelGruopName
Should work
/K
01-15-2013 12:40 AM
Hi Kenneth,
thanks for the input but It's not possible for me to do that kind of matching. I have other daps in place, therefore I need an explicit match against that operational attribute.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: