Filter
Top Products
C-5
Cisco ASDM User Guide
OL-16647-01
Appendix C Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Binding the Security Appliance to the LDAP Server
Some LDAP servers (including the Microsoft Active Directory server) require the security appliance to
establish a handshake via authenticated binding before they accept requests for any other LDAP
operations. The security appliance identifies itself for authenticated binding by attaching a Login DN
field to the user authentication request. The Login DN field defines the authentication characteristics of
the security appliance; these characteristics should correspond to those of a user with administrative
privileges. An example Login DN field could be: cn=Administrator, cn=users, ou=people, dc=example,
dc=com.
Note As an LDAP client, the security appliance does not support sending anonymous binds or requests.
Login DN Example for Active Directory
The Login DN is a username on the LDAP server that the security appliance uses to establish a trust
between itself (the LDAP client) and the LDAP server during the Bind exchange, before a user search
can take place.
For VPN authentication/authorization operations, and beginning with version 8.0.4 for retrieval of AD
Groups, (which are read operations only when password-management changes are not required), the you
can use the Login DN with fewer privileges. For example, the Login DN can be a user who is a
memberOf the Domain Users group.
For VPN password-management changes, the Login DN must have Account Operators privileges.
In either of these cases, Super-user level privileges are not required for the Login/Bind DN. Refer to your
LDAP Administrator guide for specific Login DN requirements.
Defining the Security Appliance LDAP Configuration
This section describes how to define the LDAP AV-pair attribute syntax. It includes the following topics:
• Supported Cisco Attributes for LDAP Authorization, page C-6
• Cisco-AV-Pair Attribute Syntax, page C-12
Note The security appliance enforces the LDAP attributes based on attribute name, not numeric ID. RADIUS
attributes, on the other hand, are enforced by numeric ID, not by name.
Authorization refers to the process of enforcing permissions or attributes. An LDAP server defined as
an authentication or authorization server will enforce permissions or attributes if they are configured.
Table C-1 Example Search Configurations
# LDAP Base DN
Search
Scope
Naming
Attribute Result
1 group= Engineering,ou=People,dc=ExampleCorporation, dc=com One Level cn=Terry Quicker search
2 dc=ExampleCorporation,dc=com Subtree cn=Terry Longer search