Sorry to interfere, but I think I know the answer...
The "map-name" establishes the LDAP-to-IETF RADIUS attribute correspondence.
Sometimes it would be enough and appropriate to take the LDAP
attibute and interpret it directly (withot any change) as RADIUS IETF.
E.g.,
ldap attribute-map LDAP-RAD
map-name department IETF-Radius-Class
(no map-value)
In this example, the "department" attribute of Active Directory is
fetched directly to the RADIUS Class [25] attribute, and may be
then used, e.g., as a group-policy name to be applied to a user.
However, direct mapping may not be always possible.
E.g., you want to use the "memberOf" attribute of AD to control
the access to ASA CLI, i.e. convert it to IETF-Radius-Service-Type.
This cannot be done with attribute pairing (map-name) only because
"memebrOf" is a string, while Service type is a number.
This is where you must use the "map-value" to tell how to convert
AD attribute to RADIUS attribute:
ldap attribute-map LDAP-privilege
map-name memberOf IETF-Radius-Service-Type <<< the attributes
which are paired
map-value memberOf "CN=Domain Admins,CN=Users,DC=seclab,DC=abc" 6
<<< LDAP memberOf value is converted to
integer 6
!
aaa authorization exec authentication-server
HTH.
==============================================
> From: Kingsley Charles [mailto:[email protected]]
> Sent: Friday, April 16, 2010 2:26 AM
> To: Tyson Scott
> Cc: [email protected]
> Subject: Re: [OSL | CCIE_Security] LDAP clarification
> Hi Tyson
> Can you please let me know, when will we use " map-value" under ldap map.
> The map-name cmd maps the LDAP custom parameters to ASA's support LDAP
> attributes. I > understand that.
> This map-value again maps the map-name to a cisco attribute.
> I don't get the purpose of it.
> With regards
> Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
