LDAP operational attributes match in ASA 5510 during authorisati

Nicola Volpini · ‎01-14-2013

Hi,

we're using openldap for authorising our user to connect to the webvpn via our ASA.
We'd like to rely on operational attributes to do some DAP matching. This is an example of how a user record looks in our LDAP tree:


# extended LDIF
#
# LDAPv3
# filter: cn=exampleuser
# requesting: + 
#
# exampleuser, People, services.mycompany.com
dn: cn=exampleuser,ou=People,dc=services,dc=mycompany,dc=com
memberOf: cn=gli,ou=groups,dc=services,dc=mycompany,dc=com
entryDN: cn=exampleuser,ou=People,dc=services,dc=mycompany,dc=com
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1

As you can see we're using the operational attribute "memberOf" which is not visible unless you append a plus to the ldap search.

The issue: the attribute checking is ignored despite having setup a conditional match against the ldap.memberOf attribute in the ASDM DAP editor. The query is visible in the openldap logs:

lapd[809]: conn=949872 op=2 SRCH base="dc=services,dc=mycompany,dc=com" scope=2 deref=3 filter="(cn=exampleuser)"

Are LDAP operational attributes supported at all by the Cisco ASA?

Thanks!

kennethgrande · ‎01-14-2013

Specify a Dynamic Access Profile with:

Criteria: User has ALL of the following AAA attribute values...

ldap.memberOf != GroupName

cisco.tunnelgroup = TunnelGruopName

Should work

/K

Nicola Volpini · ‎01-15-2013

Hi Kenneth,

thanks for the input but It's not possible for me to do that kind of matching. I have other daps in place, therefore I need an explicit match against that operational attribute.

LDAP operational attributes match in ASA 5510 during authorisation