C-4
Cisco ASA 5500 Series Configuration Guide using the CLI
AppendixC Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many
levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the
level immediately below it, or it can search the entire subtree. A single level search is quicker, but
a subtree search is more extensive.
Naming Attribute(s) defines the RDN that uniquely identifies an entry in the LDAP server. Common
naming attributes can include cn (Common Name), sAMAccountName, and userPrincipalName.
Figure C-2 shows a sample LDAP hierarchy for Example Corporation. Given this hierarchy, you could
define your search in different ways. Table C -1 shows two sample search configurations.
In the first example configuration, when Employee1 establishes the IPsec tunnel with LDAP
authorization required, the ASA sends a search request to the LDAP server, indicating it should search
for Employee1 in the Engineering group. This search is quick.
In the second example configuration, the ASA sends a search request indicating that the server should
search for Employee1 within Example Corporation. This search takes longer.
Binding the ASA to the LDAP Server
Some LDAP servers (including the Microsoft Active Directory server) require the ASA to establish a
handshake via authenticated binding before they accept requests for any other LDAP operations. The
ASA uses the Login Distinguished Name (DN) and Login Password to establish a trust relationship
(bind) with an LDAP server before a user can search. The Login DN represents a user record in the LDAP
server that the administrator uses for binding.
When binding, the ASA authenticates to the server using the Login DN and the Login Password. When
performing a Microsoft Active Directory read-only operation (such as for authentication, authorization,
or group search), the ASA can bind with a Login DN with fewer privileges. For example, the Login DN
can be a user whose AD “Member Of” designation is part of Domain Users. For VPN password
management write operations, the Login DN needs elevated privileges and must be part of the Account
Operators AD group. Microsoft Active Directory group search (also called “MemberOf retrieval”) was
added in ASA Version 8.0.4.
An example of a Login DN includes the following entries:
cn=Binduser1,ou=Admins,ou=Users,dc=company_A,dc=com
See your LDAP Administrator guide for specific Login DN requirements for read and write operations.
The ASA supports the following features:
Simple LDAP authentication with an unencrypted password using the default port 389 . You can also
use other ports instead of the default port.
Secure LDAP (LDAP-S) using the default port 636. You can also use other ports instead of the
default port.
Simple Authentication and Security Layer (SASL) MD5
SASL Kerberos
The ASA does not support anonymous authentication.
TableC-1 Example Search Configurations
No. LDAP Base DN
Search
Scope
Naming
Attribute Result
1 group= Engineering,ou=People,dc=ExampleCorporation, dc=com One Level cn=Employee1 Quicker search
2 dc=ExampleCorporation,dc=com Subtree cn=Employee1 Longer search