ASA 5520: Retrieve user, group -and- lanlist (ACL) from openldap

hi,
while migrating from a VPN Concentrator 3000 to ASA 5520 (IOS 8.0.4), we'd like to put all VPN-related configuration settings in an openldap server (2.3.27).
We have trouble finding ways to put group settings, LanLists (as they were called on the Concentratror, or ACLs) and Lan2Lan configurations in LDAP.
Authenticating users through openldap works, and there seems to be a aaa-server command "ldap-group-dn-base", but it seems this is only used in conjunction with Active Directory, while we only use openldap.
Furthermore, ACL's seem to be indices refering to ACLs locally stored on the ASA: how to put the complete ACL in LDAP?
Preferred LDAP configuration:
VPN-users: ou=users,dc=vpn,dc=COMPANY,dc=com
VPN-groups: ou=groups,dc=vpn,dc=COMPANY,dc=com
VPN-L2L: ou=lantolan,dc=vpn,dc=COMPANY,dc=com
How to refer the ASA to an entry in ou=groups,... from an entry residing in ou=users?
Same question for LanLists. Is this possible?

Thank you. I did find the attribute map option, but the manuals and explanations that describe this feature all refer to group-settings (ACLs etc) that are _already configured_ on the ASA. They refer to a groupname or ACL-name that is "known" in the ASA configuration.
What we'd like to do is put -all- possible group, ACL, lan2lanlists, data in ldap. So when a user authenticates:
1. his user-credentials are checked against LDAP and relevant configurations (using attribute maps) are loaded into the ASA
2. his group-credentials are checked against LDAP and relevant group-configurations (using attribute maps) are loaded into the ASA
3. possible lan/network-lists to which his group-information refers, are loaded from LDAP into the ASA.
Perhaps I'm missing something, but I've found only ways to put the _name_ (/ID) of these settings in LDAP, referring to settings/configurations already existing in the ASA. I'd like to put _all_ the settings/configurations in LDAP as well.

Similar Messages

  • Retrieving User groups and email for all users in a group

    Hi Everyone,
    I need to create an ADF application to retrieve all the groups in OID, the user would select a group and it should list down all the email addresses in that group.
    Can you suggest what is the best way to achieve this. My main concern is how to retrieve groups and email addresses from OID. I was unable to find APIs for it.
    Your suggestions are greately appreciated.
    Thanks,
    Husain

    In a multi-user environment, a user install a dreamweaver extension,but just the user who install the extension can use it.
    Is there a way that administrator install the extension and make this extension available for other users in multi-user environment(e.g. the Windows 7)
    Dreamweaver had this capability many releases ago, but it has been dropped, so it's no longer available.
    Regards,
    Randy Edmunds
    Dreamweaver Development
    Adobe Systems, Inc.

  • What  is difference between user group and reference user group?

    hi
    guys,
            what  is difference between user group and reference user group? 
    your regards
      p.suresh

    Hi ,
    Chk the link below for your clarifiacation.
    http://help.sap.com/erp2005_ehp_03/helpdata/EN/5c/c1c81c445f11d189f00000e81ddfac/frameset.htm
    Hope it helps.
    Regards,
    Amit
    Edited by: Amit Kotwani on Sep 2, 2008 2:15 PM

  • Win 8.1 domain workstation. Block all access, except for a fews users/groups and domain controller information/date.

    Hi!
    Win 8.1 pro, domain workstation. How Block all access, except for a fews users/groups and domain controller information/date.
    Nuance:
    From domain AD is locked Workstation Firewall "Domain profile" edit.
    Possible?
    cenubit

    Hi GirtsR,
    I am not sure the command to use the SID to accomplish what you want to achieve, if you only know the SID, you could take use Powershell to find the related information, more information, please check:
    Working with SIDs
    And a similar thread for reference:
    How to find user/group known only SID
    More reference: Default local groups.
    Best regards
    Michael Shao
    TechNet Community Support

  • HT4798 I have forgotten my password for mountain os. I have followed the instructions about going to "User group" and enetering my apple ID. It doesn't work. Can anyone help me? Thank you.

    I have forgotten my password for mountain os. I have followed the instructions about going to "User group" and enetering my apple ID. It doesn't work. Can anyone help me? Thank you.

    Welcome to the Apple Support Communities
    https://discussions.apple.com/docs/DOC-4101

  • Interesting Information about Hyperion User Groups and Conferences

    Ed Roske has an interesting post on his blog, including a letter from John Kopcke (SVP of EPM at Oracle). There is a lot of content discussing the disbandment of the Hyperion User Groups and the absorption by OAUG with the new Hyperion SIG (Special Interest Group). In addition there is discussion of conference's focusing on Hyperion content.
    Take a look at http://looksmarter.blogspot.com/2008/06/john-kopckes-letter-to-hyperion.html
    Best Regards,

    Gary,
    Thanks for nice post

  • How to manageimported users, groups, and computers in the "Magic Triangle"

    How do I manage imported users, groups, and computers? Server Preferences versus Workgroup Manager? I can import users and groups with the former but it offers limited configurable options. I can view all users. groups. and computers (from active directory) in the latter, but it does not designate which accounts have been imported.
    I've got a magic triangle setup, with my users, groups and computers in Windows Active Directory, and my MacOS X snow leopard server setup as a directory master, abd bound to AD as well. I wish to apply group policy like settings to my Mac OS X leopard and snow leopard clients.
    Here's a summary of my goals:
    1. Time Machine Storage for mac users when they logon to Mac OS X computers.
    2. Automount group shares located on the Mac OS X Server.
    3. Redirect user desktop and document folders to user shares either on the Mac OS X server or my Windows file server.
    4. Automount a custom folder (for each user) located either on the Mac OS X server or my Windows file server.
    5. Setup Mac OS X server as a printer server with quotas for all mac and windows computer users.
    Goal #1 appears to be working. "need help with the rest. Thanks

    I'm not sure you want to import users to use the magic triangle properly. I think importing creates 'Augmented Records' - the user icons have blue dots.
    The principle is this…
    Bind the server to Active Directory (AD) & create an Open Directory master (OD). This can be done from Server Admin, in the OD section, via the change button.
    Then you use Workgroup Manager, set the viewing directory (tiny little globe in top left) to use LDAP records on the server - LDAPv3/127.0.0.1. Authenticate (lock on right of toolbar) add a group, then switch to to its Members tab, click + Then change the user list to show the AD records & add the AD users to the OD group. It sounds weird & wrong, but it is how it works.
    You are never modifying the AD records, just assigning a group to the users in OD. It's why the clients need to bind to AD & OD.
    From there you can set the Managed prefs (MCX) for the members of the OD group. It also helps to add a guest computer account to OD to assign computer prefs based on the macs that bind to the server - it's in the File menu when you select the computes list in OD.
    I hope that's clear, not sure I can help with the other tasks, but they tend to fall into place once you have the complex start in place.

  • Collaboration Drives Innovation as China Oracle User Groups and Oracle University Work Together to Change Lives

    Check out the latest Customers in the Know blog post where Jim Jiang shares the story of an innovative program launched collaboratively by the China Oracle User Groups and Oracle University.
    https://blogs.oracle.com/customersknow/entry/innovation_and_collaboration_at_its

    Check out the latest Customers in the Know blog post where Jim Jiang shares the story of an innovative program launched collaboratively by the China Oracle User Groups and Oracle University.
    https://blogs.oracle.com/customersknow/entry/innovation_and_collaboration_at_its

  • How to create users ,groups and  workflow in batch?

    I have to create 100 groups for each course,and each course has a admin user.Each group has some workflows .These workflow can only be viewed by some users.
    Can i import user name and password from a .txt file and do the work automatically?
    It is a hard work if i do it manually.

    I'm not sure you want to import users to use the magic triangle properly. I think importing creates 'Augmented Records' - the user icons have blue dots.
    The principle is this…
    Bind the server to Active Directory (AD) & create an Open Directory master (OD). This can be done from Server Admin, in the OD section, via the change button.
    Then you use Workgroup Manager, set the viewing directory (tiny little globe in top left) to use LDAP records on the server - LDAPv3/127.0.0.1. Authenticate (lock on right of toolbar) add a group, then switch to to its Members tab, click + Then change the user list to show the AD records & add the AD users to the OD group. It sounds weird & wrong, but it is how it works.
    You are never modifying the AD records, just assigning a group to the users in OD. It's why the clients need to bind to AD & OD.
    From there you can set the Managed prefs (MCX) for the members of the OD group. It also helps to add a guest computer account to OD to assign computer prefs based on the macs that bind to the server - it's in the File menu when you select the computes list in OD.
    I hope that's clear, not sure I can help with the other tasks, but they tend to fall into place once you have the complex start in place.

  • User Groups and non Developers users

    Hi,
    two questions.
    1) How do I create users groups.
    I want to divide specific users to specific groups.
    2) I created users not as developer and not as a administrator.
    When I logged on with that users I didnt see any of the applications, why?
    Thanx.

    1. You asked "how do I assign users to that group and later attach the group..." I think your question is not about how to assign users to a group but rather how to attach the group... Use the function wwv_flow_fnd_user_api.user_in_group in an authorization scheme (desc wwv_flow_fnd_user_api). Attach the scheme to a region, button, etc. to control access. Please read about authorization schemes in the user guide and search this forum for "authorization" and "groups" for useful threads.
    2. A user account without development privilege will be useful for authenticating to an application you create. It will not be useful for developing any applications in the Application Builder.
    Scott

  • Non-privileged user groups and examples of tasks

    Wiki says that normal, non-privileged users can and should be given membership in the following groups:
    audio - for tasks involving sound card and related software
    floppy - for access to a floppy if applicable
    lp - for managing printing tasks
    optical - for managing tasks pertaining to the optical drive(s)
    storage - for managing storage devices
    video - for video tasks and hardware acceleration
    wheel - for using sudo
    power - used w/ power options (e.g.: shutdown with power button)
    What I'm interested is the examples of the typical tasks (besides mentioned on Wiki) that require membership in these groups: storage, video, power, camera, games.
    If someone could break it down nicely I would be much obliged. Thank you.

    Runiq wrote:
    Storage allows you to (un)mount removable media as user in graphical file managers (when HAL is involved).
    Power allows you t resume/suspend/shutdown/reboot as user.
    Some games set the permissions on their executables so that a non-member of the games group can't start the game.
    For the others, I have no idea unfortunately. By the way, the groups are to be deprecated in the (rather far?) future since you are supposed to get proper permissions when you need them. I think ConsoleKit is involved in that IIRC.
    Thanks for a quick reply. That's an interesting idea to grant privileges dynamically on demand. Haven't heard of it yet. Where can I read about it more?
    Last edited by xCrucialDudex (2010-02-26 09:38:07)

  • User Groups and InfoSets

    Hi Gurus!!
    I have created an InfoSet and an User Group with only an user (User1) assigned to the InfoSet created.
    I logged on with User2 and I could modify the Infoset and I could create and QuickViewer using this Infoset.
    Is not supposed to be modified the InfoSet only by the User1?
    Helpful answers will be rewarded.
    Thanks and regards,
    Manuel.

    Hi,
    Strictly speaking the Query and its related stuff like infosets  are client dependent and User specific.If a query is developed by one user , the other user doesn't have authorization to see it.
    May be sometimes all the users belonging to the same User group may see/use that query.
    In your case the USER2 should not able to use that infoset or query.
    May be User1 and User2 are in the same User group.
    that's why User2 is able to access the infoset.
    reward if useful
    regards,
    Anji

  • Create User Groups and assign Access privileges in Reports

    Hi All,
    Could you share the document or explain which explains about the Standard method to create User Groups in CMC for BOBJ XI 3.1 architecture.
    And how to assign privileges to user groups like view reports, folders, privileges to create/edit reports etc.
    Environment:
    - Backend - BW
    - and  BO XI 3.1 sp3
    Thanks,
    AK

    BO XI 3.1 Administration guide
    http://help.sap.com/businessobject/product_guides/boexir31SP3/en/xi31_sp3_bip_admin_en.pdf

  • Remove unwanted user, group and ID.

    Can this be posted as a user tip in my name? I am unable to post to user tips.
    After a recent aborted MacPorts install on OS X 10.5.8 I followed MacPorts uninstall instructions at:
    http://guide.macports.org/chunked/installing.macports.uninstalling.html
    The uninstall worked well except that I was left with a user called 'macports' with ID 503 which showed up when adding a user in Get Info or using AppleJack. I was not able to remove this user in System Preferences/Accounts nor add another user with the same name.
    I eventually discovered that this could be resolved by removing the following as root:
    /private/var/db/dslocal/nodes/Default/users/macports.plist
    /private/var/db/dslocal/nodes/Default/groups/macports.plist
    This has removed MacPorts and ID 503 from Get Info and AppleJack and I can now create a new user called MacPorts in System Preferences/Accounts despite the remaining historic entries in /private/var/db/dslocal/indices/Default/index.
    I assume this will work in non-MacPorts situations where the user cannot be removed in System Preferences/Accounts.
    This will probably work in all versions of Leopard and some later OSs.

    Mac OS X 10.7.5 Lion
    1. enable root user       
              click apple(menu)
              ->System Preferences...-> System - Users & Groups
              unlock-> click
                      ->Network Account Server: Join...
              ->Open Directory Utility...
              unlock
              From Directory Utility menu Edit->Enable Root User
    2. switch to root
             su root   
    3. delete files Neville Hillyermentioned
              rm /private/var/db/dslocal/nodes/Default/users/macports.plist
              rm /private/var/db/dslocal/nodes/Default/groups/macports.plist
    4. "disable root user" and "lock" every unlocked menu for safety reason by following step 1

  • User groups and permissions problem

    Hello everyone,
    I've been running Arch Linux for about a month now and I have noticed a few things related to permissions associated with user groups that annoy me. My user is part of the storage, wheel and network groups, amongst others. I can see this when I run the `groups` command. From what I could read on the Wiki, the storage group should allow me to mount/umount drives such as my USB key and my iPod when they are plugged in and access the files from my user account without using sudo. The network group should let me manage the network connection via ifconfig, iwconfig, etc. once again without using sudo.
    However, when I run iwconfig as my normal user, I get incomplete and inaccurate information. I get about 2 lines telling me essentially that I am not associated with any Access Point, which I clearly am. When I run it with sudo, I get the full information, including my Access Point's ESSID. iwconfig does not get the same data when run with and without sudo. Same goes with ifconfig. Also, I can not run dhcpcd or wpa_supplicant at all as a normal user.
    I get a similar problem with the storage group. I can not mount or umount drives without sudo and I can not write to mounted drives that I've mounted with sudo. This is particularly annoying when I try to manage my iPod.
    Does anyone have a clue what could be causing this?
    Thanks a lot

    I have searched Google and the Arch Wiki, have tried a lot of the suggestions from the forums, such as the 'how I beat policykit and hal' forum post.  Nothing seems to let me mount my drives.  I can see them in Nautilus, I click them but they don't mount.  I can do it as root.  It's really frustrating because I can't figure it out.  I haven't filed a bug report because I thought it was a problem that I was having.
    I haven't tried the iwconfig or network yet.
    This is pretty much the only thing holding me back from everything working.

Maybe you are looking for

  • Adding a user to file permissions doesn't work in Lion.

    Using "Get Info", after unlocking, when I add a user, nothing happens. Sometimes, repeatedly unlocking, adding the user, then re-locking yields success. Very annoying! Is this a known bug? Is there a fix?

  • Drinking straw inside my new MacBook Pro?

    Hi Guys, I'm hoping that someone here might be able to shed some light on this? I purchased a 17" MacBook Pro a couple of days ago, and when I went to upgrade the RAM last night, I found a piece of what looks like a plastic drinking straw inside the

  • Are LR Mobile photos encrypted when stored in the cloud?

    I am new to Lightroom and have been exploring the mobile app for iOS devices, but before I start syncing a lot of personal photos I am curious how they are stored in Adobe's cloud.  Can anyone point me to a definitive policy that states whether photo

  • Can't update after installation CS5 to new hard disc, Help?

    I installed CS5 Design Premium to my new hard disc, installation was successful. However, the update failed. The feedback of failure: "There was an error downloading this update. Please quit and try again later." When I press customer care of the fee

  • Text preview size in PS 2014?

    Hi, Installed PS CC 2014. Now my text preview size is back down to small and I can't seem to figure out how to change it back to a larger preview size. Any suggestions? Thanks! -Rowen