Cisco ASA 5505 Configuration Manual page 1737
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Appendix B
Configuring an External Server for Authorization and Authentication
Table B-1
Example Search Configurations
#
LDAP Base DN
1
group= Engineering,ou=People,dc=ExampleCorporation, dc=com
2
dc=ExampleCorporation,dc=com
Binding the Security Appliance to the LDAP Server
Some LDAP servers (including the Microsoft Active Directory server) require the adaptive security
appliance to establish a handshake via authenticated binding before they accept requests for any other
LDAP operations. The adaptive security appliance uses the Login Distinguished Name (DN) and Login
Password to establish trust (bind) with an LDAP server. The Login DN represents a user record in the
LDAP server that the administrator uses for binding.
When binding, the adaptive security appliance authenticates to the server using the Login DN and the
Login Password. When performing a Microsoft Active Directory read-only operation (such as for
authentication, authorization, or group-search), the security appliance can bind with a Login DN with
less privileges. For example, the Login DN can be a user whose AD "Member Of" designation is part of
Domain Users. For VPN password management operations, the Login DN needs elevated privileges and
must be part of the Account Operators AD group.
An example of a Login DN includes:
cn=Binduser1,ou=Admins,ou=Users,dc=company_A,dc=com
The security appliance supports:
•
•
•
•
The security appliance does not support anonymous authentication.
Note
As an LDAP client, the adaptive security appliance does not support sending anonymous binds or
requests.
Login DN Example for Active Directory
The Login DN is a username on the LDAP server that the adaptive security appliance uses to establish
a trust between itself (the LDAP client) and the LDAP server during the Bind exchange, before a user
search can take place.
For VPN authentication/authorization operations, and beginning with version 8.0.4 for retrieval of AD
Groups, (which are read operations only when password-management changes are not required), the you
can use the Login DN with fewer privileges. For example, the Login DN can be a user who is a
memberOf the Domain Users group.
For VPN password-management changes, the Login DN must have Account Operators privileges.
In either of these cases, Super-user level privileges are not required for the Login/Bind DN. Refer to your
LDAP Administrator guide for specific Login DN requirements.
OL-20339-01
Simple LDAP authentication with an unencrypted password on port 389
Secure LDAP (LDAP-S) on port 636
Simple Authentication and Security Layer (SASL) MD5
SASL Kerberos.
Configuring an External LDAP Server
Search
Naming
Scope
Attribute Result
One Level
cn=Terry Quicker search
Subtree
cn=Terry Longer search
Cisco ASA 5500 Series Configuration Guide using ASDM
B-5
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
