Friday, July 27, 2012

Active Directory and ASA LDAP Authentication

A quick note on using LDAP for multi-domain authentication with Cisco ASA and an Active Directory global catalog server... when using the ASA to match on an LDAP object name, like this:

ldap attribute-map MY_MAP_NAME
  map-value memberOf "CN=foo,OU=bar,DC=example,DC=com" MY_GROUP_POLICY

...the Active Directory group needs to have certain properties:

  1. It must be a security group with universal scope.
  2. Users in the group must have a primary group different from the group matched by the ASA.
  3. The user's primary group must have universal scope.
I don't know if this still holds true if you have only a single domain and you're using the regular Active Directory LDAP service instead of the global catalog service, but in a multi-domain setup the GCS does not correctly report the "memberOf" attribute unless these conditions are met. This is an Active Directory quirk and thus is not directly related to ASAs, but troubleshooting an ASA issue was how I discovered it.

No comments: