B-5
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Appendix B Configuring an External Server for Authorization and Authentication
Configuring an External LDAP Server
Binding the Security Appliance to the LDAP Server
Some LDAP servers (including the Microsoft Active Directory server) require the adaptive security
appliance to establish a handshake via authenticated binding before they accept requests for any other
LDAP operations. The adaptive security appliance uses the Login Distinguished Name (DN) and Login
Password to establish trust (bind) with an LDAP server. The Login DN represents a user record in the
LDAP server that the administrator uses for binding.
When binding, the adaptive security appliance authenticates to the server using the Login DN and the
Login Password. When performing a Microsoft Active Directory read-only operation (such as for
authentication, authorization, or group-search), the security appliance can bind with a Login DN with
less privileges. For example, the Login DN can be a user whose AD "Member Of" designation is part of
Domain Users. For VPN password management operations, the Login DN needs elevated privileges and
must be part of the Account Operators AD group.
An example of a Login DN includes:
cn=Binduser1,ou=Admins,ou=Users,dc=company_A,dc=com
The security appliance supports:
• Simple LDAP authentication with an unencrypted password on port 389
• Secure LDAP (LDAP-S) on port 636
• Simple Authentication and Security Layer (SASL) MD5
• SASL Kerberos.
The security appliance does not support anonymous authentication.
Note As an LDAP client, the adaptive security appliance does not support sending anonymous binds or
requests.
Login DN Example for Active Directory
The Login DN is a username on the LDAP server that the adaptive security appliance uses to establish
a trust between itself (the LDAP client) and the LDAP server during the Bind exchange, before a user
search can take place.
For VPN authentication/authorization operations, and beginning with version 8.0.4 for retrieval of AD
Groups, (which are read operations only when password-management changes are not required), the you
can use the Login DN with fewer privileges. For example, the Login DN can be a user who is a
memberOf the Domain Users group.
For VPN password-management changes, the Login DN must have Account Operators privileges.
In either of these cases, Super-user level privileges are not required for the Login/Bind DN. Refer to your
LDAP Administrator guide for specific Login DN requirements.
Table B-1 Example Search Configurations
# LDAP Base DN
Search
Scope
Naming
Attribute Result
1 group= Engineering,ou=People,dc=ExampleCorporation, dc=com One Level cn=Terry Quicker search
2 dc=ExampleCorporation,dc=com Subtree cn=Terry Longer search
To Next Page
Loading...
Need help?
General
