Skip to main content

 

 

Cisco Defense Orchestrator

Create or Edit an ASA Active Directory Realm Object

About Active Directory Realm Objects 

When you create or edit an identity source object such as an AD realm object, CDO sends the configuration request to the ASA devices through the SDC. The ASA then communicates with the configured AD realm. 

Create an ASA Active Directory Realm Object 

Use the following procedure to create an object:

  1. From the CDO navigation bar, click Objects.
  2. Click Create Object (blue_cross_button.png) > Identity Source
  3. Enter an Object Name for the object.
  4. Select the Device Type as ASA.
  5. In the first part of the wizard, select Active Directory Realm as the Identity Source Type. Click Continue.
  6. Configure the basic realm properties.
  • Directory Username, Directory Password - The distinguished username and password for a user with appropriate rights to the user information you want to retrieve. For Active Directory, the user does not need elevated privileges. You can specify any user in the domain. The username must be fully qualified; for example, Administrator@example.com (not simply Administrator).

Note: The system generates ldap-login-dn and ldap-login-password from this information. For example, Administrator@example.com is translated as cn=administrator,cn=users,dc=example,dc=com. Note that cn=users is always part of this translation, so you must configure the user you specify here under the common name “users” folder.

  • Base Distinguished Name - The directory tree for searching or querying user and group information, that is, the common parent for users and groups. For example, cn=users,dc=example,dc=com.
  1. Configure the directory server properties.
  • Hostname/IP Address—The hostname or IP address of the directory server. If you use an encrypted connection to the server, you must enter the fully-qualified domain name, not the IP address.

  • Port—The port number used for communications with the server. The default is 389. Use port 636 if you select LDAPS as the encryption method.

  • Encryption—To use an encrypted connection for downloading user and group information, select LDAPS to use SSL to secure communications between the ASA and the LDAP server. It requires LDAP over SSL. Use port 636.
    The default is None, which means that user and group information is downloaded in clear text.

  1. (Optional) Use the Test button to validate the configuration. 
  2. (Optional) Click Add another configuration to add multiple Active Directory (AD) servers to the AD realm. The AD servers need to be duplicates of each other and support the same AD domain. Therefore, the basic realm properties such as Directory nameDirectory Password, and Base Distinguished Name must be the same across all AD servers associated with that AD realm.
  3. Click Add

Edit an ASA Active Directory Realm Object 

Note that you cannot change the Identity Source Type when editing an Identity source object. You must create a new object with the correct type. 

  1. From the CDO navigation bar, click Objects.
  2. Locate the object you want to edit by using object filters and search field.
  3. Select the object you want to edit.
  4. Click the edit icon edit.png in the Actions pane of the details panel.
  5. Edit the values in the dialog box in the same fashion that you created in the procedures above. Expand the configuration bar listed below to edit or test the hostname/IP address or encryption information. 
  6. Click Save
  7. CDO displays the policies that will be affected by the change. Click Confirm to finalize the change to the object and any policy affected by it.
  8. Review and deploy now the changes you made, or wait and deploy multiple changes at once.
  • Was this article helpful?