C-3
Cisco ASA 5500 Series Configuration Guide using the CLI
AppendixC Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Note For more information about the LDAP protocol, see RFCs 1777, 2251, and 2849.
Organizing the ASA for LDAP Operations
This section describes how to search within the LDAP hierarchy and perform authenticated binding to
the LDAP server on the ASA and includes the following topics:
Searching the LDAP Hierarchy, pageC-3
Binding the ASA to the LDAP Server, pageC-4
Your LDAP configuration should reflect the logical hierarchy of your organization. For example,
suppose an employee at your company, Example Corporation, is named Employee1. Employee1 works
in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set
up a single-level hierarchy in which Employee1 is considered a member of Example Corporation. Or you
could set up a multi-level hierarchy in which Employee1 is considered to be a member of the department
Engineering, which is a member of an organizational unit called People, which is itself a member of
Example Corporation. See Figure C-2 for an example of a multi-level hierarchy.
A multi-level hierarchy has more detail, but searches return results more quickly in a single-level
hierarchy.
FigureC-2 A Multi-Level LDAP Hierarchy

Searching the LDAP Hierarchy

The ASA lets you tailor the search within the LDAP hierarchy. You configure the following three fields
on the ASA to define where in the LDAP hierarchy that your search begins, the extent, and the type of
information it is looking for. Together these fields allow you to limit the search of the hierarchy to only
the part that includes the user permissions.
LDAP Base DN defines where in the LDAP hierarchy that the server should begin searching for user
information when it receives an authorization request from the ASA.
330368
Enterprise LDAP Hierarchy
dc=ExampleCorp, dc=com Root/Top
People Equipment OU=Organization Units
Engineering Marketing HR Groups/Departments
cn=User1 cn=User3 cn=User4 Users
cn=User2