B-4
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Appendix B      Configuring an External Server for Authorization and Authentication
  Configuring an External LDAP Server
Your LDAP configuration should reflect the logical hierarchy of your organization. For example, 
suppose an employee at your company, Example Corporation, is named Terry. Terry works in the 
Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a 
shallow, single-level hierarchy in which Terry is considered a member of Example Corporation. Or, you 
could set up a multi-level hierarchy in which Terry is considered to be a member of the department 
Engineering, which is a member of an organizational unit called People, which is itself a member of 
Example Corporation. See Figure B-2 for an example of this multi-level hierarchy.
A multi-level hierarchy has more granularity, but a single level hierarchy is quicker to search.
Figure B-2 A Multi-Level LDAP Hierarchy
Searching the Hierarchy 
The adaptive security appliance lets you tailor the search within the LDAP hierarchy. You configure the 
following three fields on the adaptive security appliance to define where in the LDAP hierarchy your 
search begins, the extent, and the type of information it is looking for. Together these fields allow you 
to limit the search of the hierarchy to only the part of the tree that contains the user permissions.
• LDAP Base DN defines where in the LDAP hierarchy the server should begin searching for user 
information when it receives an authorization request from the adaptive security appliance.
• Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many 
levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the 
level immediately below, or it can search the entire subtree. A single level search is quicker, but a 
subtree search is more extensive.
• Naming Attribute(s) defines the RDN that uniquely identifies an entry in the LDAP server. Common 
naming attributes can include cn (Common Name), sAMAccountName, and userPrincipalName.
Figure B-2 shows a possible LDAP hierarchy for Example Corporation. Given this hierarchy, you could 
define your search in different ways. Table B-1 shows two possible search configurations. 
In the first example configuration, when Terry establishes the IPSec tunnel with LDAP authorization 
required, the adaptive security appliance sends a search request to the LDAP server indicating it should 
search for Terry in the Engineering group. This search is quick. 
In the second example configuration, the adaptive security appliance sends a search request indicating 
the server should search for Terry within Example Corporation. This search takes longer.
148997
Example.com.com Enterprise LDAP Hierarchy
dc=ExampleCorp, dc=com
Root/Top
People
Equipment
OU=Organization Units
Engineering
Marketing
HR
Groups/Departments
cn=t
erry
cn=
bobbie
cn=
lynn
Users
cn=
robin