Filter
Top Products
C-4
Cisco ASDM User Guide
OL-16647-01
Appendix C Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Your LDAP configuration should reflect the logical hierarchy of your organization. For example,
suppose an employee at your company, Example Corporation, is named Terry. Terry works in the
Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a
shallow, single-level hierarchy in which Terry is considered a member of Example Corporation. Or, you
could set up a multi-level hierarchy in which Terry is considered to be a member of the department
Engineering, which is a member of an organizational unit called People, which is itself a member of
Example Corporation. See Figure C-2 for an example of this multi-level hierarchy.
A multi-level hierarchy has more granularity, but a single level hierarchy is quicker to search.
Figure C-2 A Multi-Level LDAP Hierarchy
Searching the Hierarchy
The security appliance lets you tailor the search within the LDAP hierarchy. You configure the following
three fields on the security appliance to define where in the LDAP hierarchy your search begins, the
extent, and the type of information it is looking for. Together these fields allow you to limit the search
of the hierarchy to only the part of the tree that contains the user permissions.
• LDAP Base DN defines where in the LDAP hierarchy the server should begin searching for user
information when it receives an authorization request from the security appliance.
• Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many
levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the
level immediately below, or it can search the entire subtree. A single level search is quicker, but a
subtree search is more extensive.
• Naming Attribute(s) defines the RDN that uniquely identifies an entry in the LDAP server. Common
naming attributes can include cn (Common Name), sAMAccountName, and userPrincipalName.
Figure C-2 shows a possible LDAP hierarchy for Example Corporation. Given this hierarchy, you could
define your search in different ways. Table C-1 shows two possible search configurations.
In the first example configuration, when Terry establishes the IPSec tunnel with LDAP authorization
required, the security appliance sends a search request to the LDAP server indicating it should search
for Terry in the Engineering group. This search is quick.
In the second example configuration, the security appliance sends a search request indicating the server
should search for Terry within Example Corporation. This search takes longer.
148997
Example.com.com Enterprise LDAP Hierarchy
dc=ExampleCorp, dc=com
Root/Top
People
Equipment
OU=Organization Units
Engineering
Marketing
HR
Groups/Departments
cn=t
erry
cn=
bobbie
cn=
lynn
Users
cn=
robin