Organizing the asa for ldap operations, Searching the ldap hierarchy – Cisco ASA 5505 User Manual

Page 1901

Advertising
background image

C-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Appendix C Configuring an External Server for Authorization and Authentication

Configuring an External LDAP Server

Note

For more information about the LDAP protocol, see RFCs 1777, 2251, and 2849.

Organizing the ASA for LDAP Operations

This section describes how to search within the LDAP hierarchy and perform authenticated binding to
the LDAP server on the ASA and includes the following topics:

Searching the LDAP Hierarchy, page C-3

Binding the ASA to the LDAP Server, page C-4

Your LDAP configuration should reflect the logical hierarchy of your organization. For example,
suppose an employee at your company, Example Corporation, is named Employee1. Employee1 works
in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set
up a single-level hierarchy in which Employee1 is considered a member of Example Corporation. Or you
could set up a multi-level hierarchy in which Employee1 is considered to be a member of the department
Engineering, which is a member of an organizational unit called People, which is itself a member of
Example Corporation. See

Figure C-2

for an example of a multi-level hierarchy.

A multi-level hierarchy has more detail, but searches return results more quickly in a single-level
hierarchy.

Figure C-2

A Multi-Level LDAP Hierarchy

Searching the LDAP Hierarchy

The ASA lets you tailor the search within the LDAP hierarchy. You configure the following three fields
on the ASA to define where in the LDAP hierarchy that your search begins, the extent, and the type of
information it is looking for. Together these fields allow you to limit the search of the hierarchy to only
the part that includes the user permissions.

LDAP Base DN defines where in the LDAP hierarchy that the server should begin searching for user
information when it receives an authorization request from the ASA.

330368

Enterprise LDAP Hierarchy

dc=ExampleCorp, dc=com

Root/Top

People

Equipment

OU=Organization Units

Engineering

Marketing

HR

Groups/Departments

cn=User1

cn=User3

cn=User4 Users

cn=User2

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals