[c-nsp] VPN 3000 & LDAP Author

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Mon Aug 7 14:29:56 EDT 2006


Peder @ NetworkOblivion <> wrote on Monday, August 07, 2006 7:44 PM:

> Has anybody setup LDAP authorization between a VPN 3000 and MS AD?  I
> don't mean authentication, I mean authorization.  I can get authen to
> work, but I can't figure out what to put in the various fields for
> authorization.  The setup screen on the VPN3000 has fields for the
> following:
> 
> Login DN
> Password
> Base DN
> Search Scope 	One Level / Subtree
> Naming attributes
> 
> I know a bunch of people that have lots of experience with AD, but
> none of them are LDAP guru's, so they aren't sure what to put where. 
> Any tips would be appreciated.

hmm, shouldn't be that hard, I guess:

Login DN and password are needed by some LDAP server to log in, so check
with the server.

Base DN gives the root of the directory where you want to start search,
i.e. if your users are stored like this
 	
cn=Bob,group=Engineering,ou=People,dc=ExampleCorporation,dc=com
cn=Alice,group=Engineering,ou=People,dc=ExampleCorporation,dc=com

you can enter Base DN as
"group=Engineering,ou=People,dc=ExampleCorporation,dc=com", search scope
"One Level" and Naming attribute "cn" if you want to search for "Bob"
and "Alice". 
If you need to search a broader tree (for example within several
"groups"), specify a shorter base-dn (for example
"ou=People,dc=ExampleCorporation,dc=com") and select "Subtree".

	oli

P.S: what is the case number of your TAC case?
P.S: I have no clue about the vpn3k, but did some LDAP in the past..
it's pretty straight forward.



More information about the cisco-nsp mailing list