ASA LDAP Auth the nice and easy way.   August 10th, 2007

Ok so I have been beating my head on ASA to LDAP auth (temporary fix till my client spins up RADIUS) but thanks to the great LDAP group at Cisco TAC I”m up and working. The piont of this post is to take what we tend to know about LDAP client configs and adjust it for what Cisco has setup in PIX IOS 8.

Our config:

  • LDAP: OSX OpenDirector (Open LDAP in PIX IOS 8 )
  • ASA 5540 in Active/Standby failover
  • LDAP server in on the Inside of the ASA

BASE DN: For the most part this is what you would expect it to be. But in most of the clients I have used the Base DN is either appended automatically or you can choose to append it to your login DN, thus shortening your login DN entry. When you talk to TAC they say that your BASE DN is automatically appended to your login. Well N thats wrong. What the ASA uses the BASE DN for is the place that it starts its tree walk for Authentication or Authorization credentials only not where it looks for the BASE of it’s own credentials.

So what should you use for the BASE DN, well your BASE DN of course. So now your saying this guy is an idiot that not special at all. Well look below at what you need to use for your login DN and if that doesn’t clear things up then maybe I am an idiot.

Login DN: Normally you can stick to uid=”username”,cn=users for your login DN. But in the case of the ASA client you need to use the full login path including the base, so something like this; uid=”username”,cn=users,dc=DMS,dc=staticnat,dc=com

Another thing that seems to be unknown to TAC is whether when peforming your Auth test from the ASDM console you should use uid=”username” or just “username”. Well I have the skinny on that to, just use “username”.

The final snippet if info I have to offer on the LDAP front has to do with people who were unable to get their “asa” user to bind to the directory if it was not located withing the BASE DN. Cisco is aware of this and has patched their code. I have no idea if that patch is part of the engineering release I have or if it part of the current Pix IOS 8 ED that is available for download. I have an email out asking that question now and I hope to have an update by the end of the day. If you have any questions feel free to post to comments or email: Email Image

Be Sociable, Share!
This entry was posted on Friday, August 10th, 2007 at 10:18 am and is filed under *NIX, Apple, Cisco, Design Strategy, LDAP, Open Directory, OS X, PIX/ASA, Security. You can follow any responses to this entry through the RSS 2.0 feed.You can leave a response, or trackback from your own site.
  • http://www.6200networks.com jfh6200

    Josh, this is an excelletn post…You can find a sample config @ my website (http://6200networks.com/?p=25)…Keep up the great work man.

    -Joe

  • http://cindyandgreg.com gmsmith

    Quick question for you, I am trying to limit my LDAP authentication to a specific group in OS X OpenDirectory (10.5.5), but I can’t seem to do it…did you have any luck with this?

  • http://www.staticnat.com cratejockey

    Thanks Greg! He provided the following link as a follow up to our off-line conversation.

    http://209.85.135.104/translate_c?hl=en&sl=fr&tl=en&u=http://pm.itguys.fr/blog/tags/asa/&usg=ALkJrhj0dOIxqsafNO8RSkeKrUNxzasSeQ

    Plus he has an open TAC case and has offered to share his results.

  • http://cindyandgreg.com gmsmith

    So, as I mentioned in email, I got the 1 in 5 at Cisco TAC. In my last real job, we had a chart of companies and their tech support. Something like:

    Cisco – 1 in 5 actually knew something
    Sun – 1 in 10 actually knew something
    Salesforce – 1 in 100 actually knew something
    RedHat – Yeah, good luck

    Anyway, for the details….I have tested this on my home setup and it works great…

    Essentially if you follow the direction on the link above and then issue the following at a config t prompt:

    Group-policy noconnection internal

    group-policy noconnection attributes

    vpn-simultaneous-logins 0

    exit

    tunnel-group <> general-attributes

    no default-group-policy <>

    default-group-policy noconnection

    *The lines above will switch the default group policy on the <> group to be noconnection which prevents access to the ASA for users that do not have a gidNumber equals to the gidNumber you set.

  • Pingback: StaticNAT » Blog Archive » Get Your ACS in Order!