Hi, please could you help me with my part of the configuration? I am trying to achieve the same thing as you did, not only authenticate but also authorize particular users according to their openLDAP groups.

Do you mean that it's necessary to create another aaa-server just only for the authorization?

Here is my configuration

==================

aaa-server OpenLDAPsrv protocol ldap

aaa-server OpenLDAPsrv (outside) host ldap.work.com

server-port 389

ldap-base-dn dc=work,dc=com

ldap-scope subtree

ldap-naming-attribute uid

ldap-login-password ***

ldap-login-dn cn=asa,dc=work,dc=com

server-type openldap

ldap-attribute-map LDAPmapping

!

ldap attribute-map LDAPmapping

  map-name memberOf Group-Policy

  map-value memberOf cn=vpn_group1,cn=vpn_Users,ou=Groups,dc=work,dc=com LDAPtestGroup1

  map-value memberOf cn=vpn_group2,cn=vpn_Users,ou=Groups,dc=work,dc=com LDAPtestGroup2

!

group-policy LDAPtestGroup1 internal

group-policy LDAPtestGroup1 attributes

  vpn-tunnel-protocol IPSec l2tp-ipsec

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value split1

!

group-policy LDAPtestGroup2 internal

group-policy LDAPtestGroup2 attributes

  vpn-tunnel-protocol IPSec l2tp-ipsec

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value split2

!

tunnel-group LDAPtestTunnel type remote-access

tunnel-group LDAPtestTunnel general-attributes

  authentication-server-group OpenLDAPsrv

  authorization-server-group OpenLDAPsrv

  authorization-required

  address-pool remoteaccesspool

  default-group-policy NoAccess

tunnel-group LDAPtestTunnel ipsec-attributes

pre-shared-key ***

!

group-policy NoAccess internal

group-policy NoAccess attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec l2tp-ipsec

address-pools none

==============================

Jozef

Hi Jozef.cmroej,

Yep thats right. Your config looks okay, what you additionally have to do is, create one more aaa-server group with same ip/host and different aaa name. Reference newly created aaa server for authentication and use this (OpenLDAPsrv) for Authorization.

I could send you the working config but it will take 3-4 days as I'm travelling these days.

Let me know if that doesn't work.

-Laxman

Hi Laxman,

thank you for your replay. I added additional LDAP server group for authorization and trying to match LDAP attribute name CN which gives me the name of the LDAP group. Then the ASA matches this attribute to group policy.

But what I would like to achieve is an authorization for an user who is a member of more than one group in the openLDAP server. I would use Dynamic Access Policies where I would define that an user must have all attributes (ldap groups) in order to get an access to the network. But even the LDAP server sends multiple attributes which identify user's LDAP groups, I get just only one user's group first in the alphabet on the ASA.

Example:

vpnuser3 is a member of 2 groups - vpn_group1 and vpn_group2. But in debug I see only one group vpn_group1.

[14595] Session Start

[14595] New request Session, context 0xd862b898, reqType = Authentication

[14595] Fiber started

[14595] Creating LDAP context with uri=ldap://x.x.x.x:390

[14595] Connect to LDAP server: ldap://x.x.x.x:390, status = Successful

[14595] supportedLDAPVersion: value = 3

[14595] Binding as asa

[14595] Performing Simple authentication for asa to x.x.x.x

[14595] LDAP Search:

        Base DN = [OU=Users,DC=work,DC=com]

        Filter  = [uid=vpnuser3]

        Scope   = [SUBTREE]

[14595] User DN = [uid=vpnuser3,ou=servis,ou=Users,dc=work,dc=com]

[14595] Server type for x.x.x.x unknown - no password policy

[14595] Binding as vpnuser3

[14595] Performing Simple authentication for vpnuser3 to x.x.x.x

[14595] Processing LDAP response for user vpnuser3

[14595] Authentication successful for vpnuser3 to x.x.x.x

[14595] Retrieved User Attributes:

[14595]         employeeType: value = Spec

[14595]         sambaPrimaryGroupSID: value = S-1-5-21-2974034282-1106368442-2707221876-513

[14595]         displayName: value = vpnuser3

[14595]         givenName: value = vpnuser3

[14595]         sambaLogonScript: value = logon.cmd

[14595]         objectClass: value = top

[14595]         objectClass: value = person

[14595]         objectClass: value = organizationalPerson

[14595]         objectClass: value = inetOrgPerson

[14595]         objectClass: value = posixAccount

[14595]         objectClass: value = shadowAccount

[14595]         objectClass: value = sambaSamAccount

[14595]         sambaHomeDrive: value = H:

[14595]         sambaLogonTime: value = 0

[14595]         uid: value = vpnuser3

[14595]         mail: value = vpnuser3@work.com

[14595]         uidNumber: value = 3365

[14595]         cn: value = vpnuser3

[14595]         sambaLogoffTime: value = 2147483647

[14595]         sambaPwdLastSet: value = 1326810783

[14595]         loginShell: value = /bin/bash

[14595]         sambaAcctFlags: value = [UX]

[14595]         sambaProfilePath: value = \\hfserver\profiles\vpnuser3

[14595]         gidNumber: value = 513

[14595]         sambaPwdMustChange: value = 2147483647

[14595]         sambaPwdCanChange: value = 0

[14595]         gecos: value = System User

[14595]         sambaSID: value = S-1-5-21-2974034282-1106368442-2707221876-7730

[14595]         homeDirectory: value = /home/users/vpnuser3

[14595]         sambaKickoffTime: value = 2147483647

[14595]         sn: value = vpnuser3

[14595]         sambaHomePath: value = \\hfserver\vpnuser3

[14595] Fiber exit Tx=321 bytes Rx=1115 bytes, status=1

[14595] Session End

[14596] Session Start

[14596] New request Session, context 0xd862b898, reqType = Other

[14596] Fiber started

[14596] Creating LDAP context with uri=ldap://x.x.x.x:390

[14596] Connect to LDAP server: ldap://x.x.x.x:390, status = Successful

[14596] supportedLDAPVersion: value = 3

[14596] Binding as asa

[14596] Performing Simple authentication for asa to x.x.x.x

[14596] LDAP Search:

        Base DN = [OU=Groups,DC=work,DC=com]

        Filter  = [memberUid=vpnuser3]

        Scope   = [SUBTREE]

[14596] User DN = [cn=vpn_group1,ou=Groups,dc=work,dc=com]

[14596] LDAP Search:

        Base DN = [OU=Groups,dc=work,dc=com]

        Filter  = [memberUid=vpnuser3]

        Scope   = [SUBTREE]

[14596] Retrieved User Attributes:

[14596]         sambaSID: value = S-1-5-21-2974034282-1106368442-2707221876-1007

[14596]         gidNumber: value = 1007

[14596]         memberUid: value = vpnuser3

[14596]         displayName: value = vpn_group1

[14596]         sambaGroupType: value = 2

[14596]         objectClass: value = top

[14596]         objectClass: value = posixGroup

[14596]         objectClass: value = sambaGroupMapping

[14596]         cn: value = vpn_group1

[14596] Fiber exit Tx=333 bytes Rx=2719 bytes, status=1

[14596] Session End

It's possible to match multiple LDAP groups to one DAP on the ASA?

Jozef

Could anyone please post a working config on this please?