Lightweight Directory Access Protocol (LDAP) is a networking protocol
for querying and modifying directory services that run on TCP/IP and UDP. LDAP
is a lightweight mechanism for accessing an x.500-based directory server.
Cisco Secure Access Control System (ACS) 5.x integrates with an LDAP
external database (also called an identity store) by using the LDAP protocol.
There are two methods used to connect to the LDAP server: plain text (simple)
and SSL (encrypted) connection. ACS 5.x can be configured to connect to the
LDAP server using both of these methods. This document provides a configuration
example for connecting ACS 5.x to an LDAP server using a simple
This document assumes that the ACS 5.x has an IP connection to the LDAP
server and that port TCP 389 is open.
By default, the Microsoft Active Directory LDAP server is configured to
accept LDAP connections on port TCP 389. If you are using any other LDAP
server, make sure that it is up and running and accepting connections on port
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
The directory service is a software application or set of applications
used to store and organize information about a computer network's users and
network resources. You can use the directory service in order to manage user
access to these resources.
The LDAP directory service is based on a client-server model. A client
connects to an LDAP server in order to start an LDAP session, and sends
operation requests to the server. The server then sends its responses. One or
more LDAP servers contain data from the LDAP directory tree or the LDAP
The directory service manages the directory, which is the database that
holds the information. Directory services use a distributed model in order to
store information, and that information is usually replicated between directory
An LDAP directory is organized in a simple tree hierarchy and can be
distributed among many servers. Each server can have a replicated version of
the total directory that is synchronized periodically.
An entry in the tree contains a set of attributes, where each attribute
has a name (an attribute type or attribute description) and one or more values.
The attributes are defined in a schema.
Each entry has a unique identifier called its Distinguished Name (DN).
This name contains the Relative Distinguished Name (RDN) constructed from
attributes in the entry, followed by the parent entry's DN. You can think of
the DN as a full filename, and the RDN as a relative filename in a
ACS 5.x can authenticate a principal against an LDAP identity store by
performing a bind operation on the directory server in order to find and
authenticate the principal. If authentication succeeds, ACS can retrieve groups
and attributes that belong to the principal. The attributes to retrieve can be
configured in the ACS web interface (LDAP pages). These groups and attributes
can be used by ACS in order to authorize the principal.
In order to authenticate a user or query the LDAP identity store, ACS
connects to the LDAP server and maintains a connection pool. See
LDAP Connection Management.
ACS 5.x supports multiple concurrent LDAP connections. Connections are
opened on demand at the time of the first LDAP authentication. The maximum
number of connections is configured for each LDAP server. Opening connections
in advance shortens the authentication time.
You can set the maximum number of connections to use for concurrent
binding connections. The number of opened connections can be different for each
LDAP server (primary or secondary) and is determined according to the maximum
number of administration connections configured for each server.
ACS retains a list of open LDAP connections (including the bind
information) for each LDAP server that is configured in ACS. During the
authentication process, the connection manager attempts to find an open
connection from the pool.
If an open connection does not exist, a new one is opened. If the LDAP
server closed the connection, the connection manager reports an error during
the first call to search the directory, and attempts to renew the
After the authentication process is complete, the connection manager
releases the connection to the connection manager. For more information, refer
5.X User Guide.
In this section, you are presented with the information to configure
the features described in this document.
Complete these steps in order to configure ACS 5.x for
Choose Users and Identity Stores >
External Identity Stores > LDAP, and click
Create in order to create a new LDAP
In the General tab, provide the Name and
Description (optional) for the new LDAP, and click
In the Server Connection tab under the Primary Server section,
provide the Hostname, Port, Admin
DN, and Password. Click Test Bind To
Note: The IANA assigned port number for LDAP is TCP 389. However,
confirm the port number that your LDAP server is using from your LDAP Admin.
The Admin DN and Password should be provided to you by your LDAP Admin. Your
Admin DN should have read all permissions on all the OUs on the LDAP
This image shows that the Connection Test Bind to the
server was successful.
Note: If the Test Bind is not successful, re-verify the
Hostname, Port number, Admin
DN, and Password from your LDAP Administrator.
Provide the required details in the Directory Organization tab
under the Schema section. Similarly, provide the required information under the
Directory Structure section as provided by your LDAP Admin. Click Test
This image shows that the Configuration Test is
Note: If the Configuration Test is not successful, re-verify the
parameters provided in the Schema and the Directory
Structure from your LDAP Administrator.
The LDAP server is created
Compete the steps in order to configure the Identity
Choose Access Policies > Access
Services > Service Selection Rules, and verify
which service is going to use the LDAP server for Authentication. In this
example, the LDAP Server Authentication uses the Default Network
Once you have verified the service in Step 1, go to the particular
service and click Allowed Protocols. Make sure that
Allow PAP/ASCII is selected, and click
Note: You can have other authentication protocols selected along with
Click on the service identified in Step 1, and click
Identity. Click Select to the right of the Identity
Select the newly created LDAP Server (myLDAP, in
this example), and click OK.
Click Save Changes.
Go to the Authorization section of the service identified in Step
1, and make sure that there is at least one Rule that permits
ACS sends a bind request to authenticate the user against an LDAP
server. The bind request contains the user's DN and user password in clear
text. A user is authenticated when the user's DN and password matches the
username and password in the LDAP directory.
Authentication Errors - ACS logs authentication
errors in the ACS log files.
Initialization Errors - Use the LDAP server timeout
settings in order to configure the number of seconds that ACS waits for a
response from an LDAP server before determining that the connection or
authentication on that server has failed. Possible reasons for an LDAP server
to return an initialization error are:
LDAP is not supported
The server is down
The server is out of memory
The user has no privileges
Incorrect administrator credentials are
Bind Errors - Possible reasons for an LDAP server to
return bind (authentication) errors are:
A search using filter criteria fails
Invalid parameters were entered
User account is restricted (disabled, locked out, expired, password
expired, and so
These errors are logged as external resource errors, indicating a
possible problem with the LDAP server:
The A user does not exist in the
database error is logged as an Unknown User error.
The An invalid password was entered
error is logged as an Invalid Password error, where the user exists, but the
password sent is invalid.