Peter, Great explanation. I hadn't looked it up yet so I am glad you answered. Got pulled into too many different things so thanks for stepping in.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Peter Debye Sent: Monday, April 19, 2010 5:49 AM To: [email protected]; Kingsley Charles Subject: [OSL | CCIE_Security] LDAP clarification Sorry to interfere, but I think I know the answer... The "map-name" establishes the LDAP-to-IETF RADIUS attribute correspondence. Sometimes it would be enough and appropriate to take the LDAP attibute and interpret it directly (withot any change) as RADIUS IETF. E.g., ldap attribute-map LDAP-RAD map-name department IETF-Radius-Class (no map-value) In this example, the "department" attribute of Active Directory is fetched directly to the RADIUS Class [25] attribute, and may be then used, e.g., as a group-policy name to be applied to a user. However, direct mapping may not be always possible. E.g., you want to use the "memberOf" attribute of AD to control the access to ASA CLI, i.e. convert it to IETF-Radius-Service-Type. This cannot be done with attribute pairing (map-name) only because "memebrOf" is a string, while Service type is a number. This is where you must use the "map-value" to tell how to convert AD attribute to RADIUS attribute: ldap attribute-map LDAP-privilege map-name memberOf IETF-Radius-Service-Type <<< the attributes which are paired map-value memberOf "CN=Domain Admins,CN=Users,DC=seclab,DC=abc" 6 <<< LDAP memberOf value is converted to integer 6 ! aaa authorization exec authentication-server HTH. ============================================== > From: Kingsley Charles [mailto:[email protected]] > Sent: Friday, April 16, 2010 2:26 AM > To: Tyson Scott > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] LDAP clarification > Hi Tyson > Can you please let me know, when will we use " map-value" under ldap map. > The map-name cmd maps the LDAP custom parameters to ASA's support LDAP attributes. I > understand that. > This map-value again maps the map-name to a cisco attribute. > I don't get the purpose of it. > With regards > Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
