38-20
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter38 Configuring AAA Servers and the Local Database
Configuring AAA
Configuring LDAP Attribute Maps
The ASA can use an LDAP directory for authenticating VPN remote access users or firewall network
access/cut-thru-proxy sessions and/or for setting policy permissions (also called authorization
attributes), such as ACLs, bookmark lists, DNS or WINS settings, session timers, and so on. That is, you
can set the key attributes that exist in a local group policy externally through an LDAP server.
The authorization process is accomplished by means of LDAP attribute maps (similar to a RADIUS
dictionary that defines vendor-specific attributes), which translate the native LDAP user attributes to
Cisco ASA attribute names. You can then bind these attribute maps to LDAP servers or remove them, as
needed. You can also show or clear attribute maps.
Guidelines
The ldap-attribute-map has a limitation with multi-valued attributes. For example, if a user is a
memberOf of several AD groups and the ldap attribute map matches on more than one of them, the
mapped value is chosen based on the alphabetization of the matched entries.
To use the attribute mapping features correctly, you need to understand Cisco LDAP attribute names and
values, as well as the user-defined attribute names and values. For more information about LDAP
attribute maps, see the “Active Directory/LDAP VPN Remote Access Authorization Examples” section
on page B-16.
Field Description
Start URL The complete URL of the authenticating web server location where a
pre-login cookie can be retrieved. This parameter must be configured
only when the authenticating web server loads a pre-login cookie with
the login page. A drop-down list offers both HTTP and HTTPS. The
maximum number of characters is 1024, and there is no minimum.
Action URI The complete Uniform Resource Identifier for the authentication
program on the authorizing web server. The maximum number of
characters for the complete URI is 2048 characters.
Username The name of a username parameter—not a specific username—that
must be submitted as part of the HTTP form used for SSO
authentication. The maximum number of characters is 128, and there is
no minimum.
Password The name of a user password parameter—not a specific password
value—that must be submitted as part of the HTTP form used for SSO
authentication. The maximum number of characters is 128, and there is
no minimum.
Hidden Values The hidden parameters for the HTTP POST request submitted to the
authenticating web server for SSO authentication. This parameter is
necessary only when it is expected by the authenticating web server as
indicated by its presence in the HTTP POST request. The maximum
number of characters is 2048.
Authentication Cookie Name (Optional) The name of the cookie that is set by the server on successful
login and that contains the authentication information. It is used to
assign a meaningful name to the authentication cookie to help
distinguish it from other cookies that the web server may pass back. The
maximum number of characters is 128, and there is no minimum.