A Cisco ASA queries an LDAP server for a VPN user OU attribute of bsnsw and receives multiple results.
Which of the following is the ASA most likely to match? (Select the best answer.)
A. the last result in the list of results containing the attribute
B. the first result in the list of results containing the attribute
C. the most specific result in the list of results containing the attribute
D. the shortest result in the list of results beginning with the lowest alphanumeric character
Explanation:
Of the choices provided, the Cisco Adaptive Security Appliance (ASA) is most likely to match the shortest Lightweight Directory Access Protocol (LDAP) result beginning with the lowest alphanumeric character in the list of results containing the organizational unit (OU) attribute of bsnsw. When using LDAP attribute maps on an ASA, there is a limit on the number of Active Directory (AD) multivalued attributes matched by an LDAP attribute map. LDAP attribute maps are used to authorize virtual private network (VPN) users based on specified AD attributes, such as group membership or department name. If an LDAP query returns a multivalued attribute, such as the list of groups of which a user is a member, the ASA will match only one of the returned values to the appropriate group policy. The ASA will select the matching group policy with the least number of characters in the name and that starts with the lowest alphanumeric character.
The following sample output from a running configuration defines five group policy mappings:
ldap attributemap ExampleMap mapname memberOf GroupPolicy mapvalue memberOf CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com Group5 mapvalue memberOf CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com Group4 mapvalue memberOf CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com Group3 mapvalue memberOf CN=Engineers,CN=Users,OU=bsnsw,DC=boson,DC=com Group2 mapvalue memberOf CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com Group1
The ldap attributemap ExampleMap command creates an LDAP attribute map named ExampleMap. The LDAP attribute map contains a mapname statement, which maps the AD memberOf attribute to the ASA GroupPolicy attribute, and a series of mapvaluecommands, which map matching LDAP response strings to ASA attributes. The mapvalue commands specify the mapping between AD group membership attributes in an LDAP response and the ASA group policy to which they should be applied. When the ASA receives a reply to an LDAP authorization query for the VPN user in this scenario, the following multiattribute response is compared to the mapvalue statements in the LDAP attribute map:
memberOf: value = CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com
If an LDAP query returns a multivalued attribute, the ASA will match only one of the returned values to the appropriate group policy. The ASA will select the matching group policy with the least number of characters in the name and that starts with the lowest alphanumeric character. In this scenario, four of the five configured mapvalue statements will match the LDAP query response. Because the group policies in the matched statement have names of identical length, the ASA will select the name based on its alphabetical preference. Alphabetically, the name Group1 comes before any of the other matching group policy names: Group3, Group4, and Group5.
Reference:
Cisco: ASA Use of LDAP Attribute Maps Configuration Example: FAQ