cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
538
Views
0
Helpful
2
Replies

OpenLDAP as Identity Sources

I'm running Firepower 1010 with ftd of 6.6.1-91. And have problem with setup Identity source with OpenLDAP for RA VPN.

What I do.

  1. Add new AD Identity realm.
  2. Fill Name, Directory username in dn notation (cn=user,dc=org...), Directory password, Base DN, ip address. No encryption, AD domain filled with random string.
  3. I have already setupped slapd server (which was earlier used with ASA 5508 without problems).

What I want.

  1. Press Test and obtain all green checked.

What I get.

  1. Green check with "Realm is available for Identity policies."
  2. Red cross with "Cannot connect to realm for RA VPN. ERROR: Authentication Server not responding"
  3. Ldap server says:

 

Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 fd=18 ACCEPT from IP=FIREPOWER_IP (IP=0.0.0.0:389)
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 op=0 BIND dn="cn=user,dc=org" method=128
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 op=0 BIND dn="cn=user,dc=org" mech=SIMPLE ssf=0
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 op=0 RESULT tag=97 err=0 text=
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 op=1 UNBIND
Feb 25 20:04:11 ldapserver slapd[4718]: conn=1009 fd=18 closed

If I ssh to firepower and run `test aaa-server <...>` I have:

INFO: Attempting Authentication test to IP address (LDAPSERVER) (timeout: 12 seconds)
ERROR: Authentication Server not responding: AAA Server has been removed

If I ssh to firepower and run `ldapsearch LDAPSERVER 389 <...>` I see proper output

ldap_initialize( ldap://LDAPSERVER:389 )
Enter LDAP Password:
filter: (objectclass=*)
requesting: *
# extended LDIF
#
# LDAPv3
# base <%ou=base,dc=dn%> with scope subtree
# filter: (objectclass=*)
# requesting: *
#

And so on (cn, dn, userName etc).

What am I missing?

 

2 Replies 2

I'd just read clear ldap was added only in fdm 6.7 (not recommended still). Is it true? Need i reformat my ldap scheme in some cisco manner (whatever it is) or something?

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Dmitrij Kryzhevich 

I've checked my FDM running 6.7, unfortunately LDAP is not an option as an Identity Source.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers