Cisco ASA Series Configuration Manual page 72

Configure the Identity Firewall
You can specify the traditional or simplified format.
The typical ldap-login-dn command format includes: CN=username,OU=Employees,OU=Sample
Users,DC=sample,DC=com.
Configure the LDAP server model for the Microsoft Active Directory server.
Step 7
server-type microsoft
Example:
hostname(config-aaa-server-host)# server-type microsoft
Specify the location of the Active Directory groups configuration in the Active Directory domain
Step 8
controller.
ldap-group-base-dn string
Example:
hostname(config-aaa-server-host)# ldap-group-base-dn OU=Sample Groups,DC=SAMPLE,DC=com
If not specified, the value in the ldap-group-base-dn command is used. Specifying this command is
optional.
Allow the ASA to access the Active Directory domain controller over SSL.
Step 9
ldap-over-ssl enable
Example:
hostname(config-aaa-server-host)# ldap-over-ssl enable
To support LDAP over SSL, Active Directory server needs to be configured to have this support.
By default, the Active Directory does not have SSL configured. If SSL is not configured in the Active
Directory, you do not need to configure it on the ASA for the Identity Firewall.
Specify the server port.
Step 10
server-port port-number
Example:
hostname(config-aaa-server-host)# server-port 389
hostname(config-aaa-server-host)# server-port 636
By default, if the ldap-over-ssl command is not enabled, the default server port is 389; if the
ldap-over-ssl command is enabled, the default server port is 636.
Step 11 Set the amount of time before LDAP queries time out.
group-search-timeout seconds
Example:
hostname(config-aaa-server-host)# group-search-timeout 300
Cisco ASA Series Firewall CLI Configuration Guide
5-12
Chapter 5 Identity Firewall