You can only use LDAP for basic authentication, not authorization.
"LDAP/AD authorization and accounting are not supported for Remote Access VPN."
As of the current release 6.3, you'd need to use an external RADIUS server (like Cisco ISE) as an intermediary to provide granular user authorization based on LDAP attributes.
I got it working for a customer I believe was running 6.3.
A different customer that was running 6.4 would throw an error trying to run the "aaa-server" command.
Apparently there's a bug (that's what TAC said); as soon as we changed "ldap attribute-map" to "lda attribute-map" (leave off the "p") and "aaa-server" to "aaa-serve" (leave off the "r") it took the FlexConfig.
Was it possible to implement a similar scheme for connecting remote users? I try to configure it according to this article, but without success...
Cisco Firepower 1140 Threat Defense 6.4.0
in this particular case LDAP - realm name
10.191.10.57 - ad dc
Group10 and Group192 - group policy name
Got it. Screen with correct settings.
aaa-server <LDAP/AD_Realm_name> host <AD Server IP>
in this case LDAP - its realm name
lda attribute-map <LDAP_Map_for_VPN_Access>
map-name memberOf Group-Policy
map-value memberOf CN=APP-SSL-VPN Managers,CN=Users,OU=stbu,DC=cisco,DC=com LabAdminAccessGroupPolicy
map-value memberOf CN=cisco-Eng,CN=Users,OU=stbu,DC=cisco,DC=com VPNAccessGroupPolicy
Sorry yes correct that is the realm name.
Also one funny thing I noticed. If you have to go back and add a group later the deploy fails with an error that the attribute map already exists.
I put this at the beginning of my attribute map:
no lda attribute-map <LDAP_Map_for_VPN_Access>
With that, any time I update the map and deploy, it removes the map and re-creates it. I no longer received errors when I try to update the attribute map.