Users is not an OU, because it's created b default and I think group policies cannot to be apples to users folder as well. Hence it is identified as CN and not OU
On Thursday, March 29, 2012, Eugene Pefti wroteHi Kings, > > I might not have understood correctly your question and confused whether > you use LDAP or RADIUS as aaa-server in ASA. **** > > When you create a user in Windows AD the user should belong to a certain > OU. The Default OU is Users if I’m not mistaken. If you run a dsquery > against a user, e.g. test user then the query should return all user > attributes.**** > > For example, I have a user named “ASA” in Users OU. The query will return > the following (watch that Users is CN, not OU, go figure with this > Microsoft why they did it this way).**** > > ** ** > > C:\>dsquery user -samid ASA**** > > "CN=ASA,CN=Users,DC=com2see,DC=com"**** > > ** ** > > If you move the ASA user from Users OU to a custom OU, e.g. Staff then > the query will return the OU part:**** > > ** ** > > C:\>dsquery user -samid ASA**** > > "CN=ASA,OU=Staff,DC=com2see,DC=com"**** > > ** ** > > So, if any user makes a connection to ASA, let’s say via VPN and you want > to use a so-called class 25 IETF RADIUS attribute and use LDAP attribute > map to map this user to a particular ASA group-policy then you always have > to watch for return from the AD. This return/reply will always list the > user membership in AD. You’ll always see at least > “CN=Users,DC=domain,DC=com” part**** > > ** ** > > Run “debug ldap” on the ASA and watch the reply from AD. This should > match with the output of “dsquery” run in the AD. Then your LDAP attribute > map on the ASA should look like this:**** > > ** ** > > ldap attribute-map LDAP-MAP**** > > map-name memberOf IETF-Radius-Class**** > > map-value memberOf "CN=Users,DC=domain,DC=com” GROUP-POLICY-NAME**** > > ** ** > > Eugene**** > > ** ** > > *From:* [email protected] <javascript:_e({}, > 'cvml', '[email protected]');> [mailto: > [email protected] <javascript:_e({}, 'cvml', > '[email protected]');>] *On Behalf Of *Kingsley > Charles > *Sent:* 29 March 2012 09:26 > *To:* [email protected] <javascript:_e({}, 'cvml', > '[email protected]');> > *Subject:* [OSL | CCIE_Security] Mapping ldap user or Active directory > user to ACS Group**** > > ** ** > > Hi all > > By default, if we create an user in Windows, they are part of "domain > users" group. When we use ldap or active directory for authenticating > unknown users, we have option in ACS to map the users to ACS local group. > > The issue that I am facing is that I am not able to map users that are > part of "domain users" to any group. The reason is that Windows doesn't > send attribute "member-of = domain users" for users that are part of > "domain users" and always falls into default group. > > Any comments? > > > With regards > Kings**** > -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
