cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
249
Views
0
Helpful
2
Replies

OpenLDAP as Identity Sources

I'm running Firepower 1010 with ftd of 6.6.1-91. And have problem with setup Identity source with OpenLDAP for RA VPN.

What I do.

  1. Add new AD Identity realm.
  2. Fill Name, Directory username in dn notation (cn=user,dc=org...), Directory password, Base DN, ip address. No encryption, AD domain filled with random string.
  3. I have already setupped slapd server (which was earlier used with ASA 5508 without problems).

What I want.

  1. Press Test and obtain all green checked.

What I get.

  1. Green check with "Realm is available for Identity policies."
  2. Red cross with "Cannot connect to realm for RA VPN. ERROR: Authentication Server not responding"
  3. Ldap server says:

 

Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 fd=18 ACCEPT from IP=FIREPOWER_IP (IP=0.0.0.0:389)
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 op=0 BIND dn="cn=user,dc=org" method=128
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 op=0 BIND dn="cn=user,dc=org" mech=SIMPLE ssf=0
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 op=0 RESULT tag=97 err=0 text=
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 op=1 UNBIND
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 fd=18 closed

If I ssh to firepower and run `test aaa-server <...>` I have:

INFO: Attempting Authentication test to IP address (LDAPSERVER) (timeout: 12 seconds)
ERROR: Authentication Server not responding: AAA Server has been removed

If I ssh to firepower and run `ldapsearch LDAPSERVER 389 <...>` I see proper output

ldap_initialize( ldap://LDAPSERVER:389 )
Enter LDAP Password:
filter: (objectclass=*)
requesting: *
# extended LDIF
#
# LDAPv3
# base <%ou=base,dc=dn%> with scope subtree
# filter: (objectclass=*)
# requesting: *
#

And so on (cn, dn, userName etc).

What am I missing?

 

2 REPLIES 2

I'd just read clear ldap was added only in fdm 6.7 (not recommended still). Is it true? Need i reformat my ldap scheme in some cisco manner (whatever it is) or something?

Rob Ingram
VIP Mentor

@Dmitrij Kryzhevich 

I've checked my FDM running 6.7, unfortunately LDAP is not an option as an Identity Source.

Content for Community-Ad