Create an ASA Active Directory Realm Object

When you create or edit an identity source object such as an AD realm object, CDO sends the configuration request to the ASA devices through the SDC. The ASA then communicates with the configured AD realm.

Use the following procedure to create an object:

Procedure


Step 1

In the left pane, click Objects > ASA Objects.

Step 2

Click Create Object ()RA VPN Objects (ASA & FDM) > Identity Source.

Step 3

Enter an Object Name for the object.

Step 4

Select the Device Type as ASA.

Step 5

In the first part of the wizard, select Active Directory Realm as the Identity Source Type. Click Continue.

Step 6

Configure the basic realm properties.

  • Directory Username, Directory Password - The distinguished username and password for a user with appropriate rights to the user information you want to retrieve. For Active Directory, the user does not need elevated privileges. You can specify any user in the domain. The username must be fully qualified; for example, Administrator@example.com (not simply Administrator).

    Note

    The system generates ldap-login-dn and ldap-login-password from this information. For example, Administrator@example.com is translated as cn=administrator,cn=users,dc=example,dc=com. Note that cn=users is always part of this translation, so you must configure the user you specify here under the common name “users” folder.

  • Base Distinguished Name - The directory tree for searching or querying user and group information, that is, the common parent for users and groups. For example, cn=users,dc=example,dc=com.

Step 7

Configure the directory server properties.

  • Hostname/IP Address—The hostname or IP address of the directory server. If you use an encrypted connection to the server, you must enter the fully-qualified domain name, not the IP address.

  • Port—The port number used for communications with the server. The default is 389. Use port 636 if you select LDAPS as the encryption method.

  • Encryption—To use an encrypted connection for downloading user and group information, select LDAPS to use SSL to secure communications between the ASA and the LDAP server. It requires LDAP over SSL. Use port 636.

    The default is None, which means that user and group information is downloaded in clear text.

Step 8

(Optional) Use the Test button to validate the configuration.

Step 9

(Optional) Click Add another configuration to add multiple Active Directory (AD) servers to the AD realm. The AD servers need to be duplicates of each other and support the same AD domain. Therefore, the basic realm properties such as Directory name, Directory Password, and Base Distinguished Name must be the same across all AD servers associated with that AD realm.

Step 10

Click Add.