DAP with LDAP group without memberOf (not AD)

Ernesto Fernandez gomez-pinto · ‎04-01-2013

Hello,

I need apply DAP to VPN User in different groups, authenticating in a OpenLDAP server without memberOf attribute.

The LDAP server has an OU ("Groups") with each group CN (CN = "Group name") containing an attribute (member) for each user

DAP can be deployed in this environnmet?, I have tried multiple combinations and can not get it to work.

Regards.

pcarco · ‎04-02-2013

Hello Ernesto,

Take a look at ASDM

Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies

Creat a new or edit a DAP policy and expand the 'Advanced' section

Source: ASDM Online Help and

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bf4915.shtml#ou

OU-Based Match Example

DAP can use many attributes returned from an LDAP server in a logical expression. See the DAP trace section for example output of this, or run a debug dap trace.

The LDAP server returns the user Distinguished Name (DN). This implicitly identifies where in the directory the user object is located. For example, if the user DN is CN=Example User,OU=Admins,dc=cisco,dc=com this user is located in OU=Admins,dc=cisco,dc=com. If all administrators are in this OU (or any container below this level) you can use a logical expression to match on this criteria as follows:

assert(function() 
   if ( (type(aaa.ldap.distinguishedName) == "string") and 
        (string.find(aaa.ldap.distinguishedName, "OU=Admins,dc=cisco,dc=com$") ~= nil) ) 
then 
       return true 
   end 
   return false 
end)()

HTH.

Best regards,

Paul