Cisco ASA 5505 Configuration Manual page 1736

Configuring an External LDAP Server
Your LDAP configuration should reflect the logical hierarchy of your organization. For example,
suppose an employee at your company, Example Corporation, is named Terry. Terry works in the
Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a
shallow, single-level hierarchy in which Terry is considered a member of Example Corporation. Or, you
could set up a multi-level hierarchy in which Terry is considered to be a member of the department
Engineering, which is a member of an organizational unit called People, which is itself a member of
Example Corporation. See
A multi-level hierarchy has more granularity, but a single level hierarchy is quicker to search.
Figure B-2
Engineering
cn=terry
Searching the Hierarchy
The adaptive security appliance lets you tailor the search within the LDAP hierarchy. You configure the
following three fields on the adaptive security appliance to define where in the LDAP hierarchy your
search begins, the extent, and the type of information it is looking for. Together these fields allow you
to limit the search of the hierarchy to only the part of the tree that contains the user permissions.
•
•
•
Figure B-2
define your search in different ways.
In the first example configuration, when Terry establishes the IPSec tunnel with LDAP authorization
required, the adaptive security appliance sends a search request to the LDAP server indicating it should
search for Terry in the Engineering group. This search is quick.
In the second example configuration, the adaptive security appliance sends a search request indicating
the server should search for Terry within Example Corporation. This search takes longer.
Cisco ASA 5500 Series Configuration Guide using ASDM
B-4
Figure B-2
A Multi-Level LDAP Hierarchy
Example.com.com Enterprise LDAP Hierarchy
dc=ExampleCorp, dc=com
People
Marketing
cn=robin cn=bobbie
LDAP Base DN defines where in the LDAP hierarchy the server should begin searching for user
information when it receives an authorization request from the adaptive security appliance.
Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many
levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the
level immediately below, or it can search the entire subtree. A single level search is quicker, but a
subtree search is more extensive.
Naming Attribute(s) defines the RDN that uniquely identifies an entry in the LDAP server. Common
naming attributes can include cn (Common Name), sAMAccountName, and userPrincipalName.
shows a possible LDAP hierarchy for Example Corporation. Given this hierarchy, you could
Appendix B Configuring an External Server for Authorization and Authentication
for an example of this multi-level hierarchy.
Root/Top
Equipment OU=Organization Units
Groups/Departments
HR
cn=lynn
Users
Table B-1 shows two possible search configurations.
OL-20339-01