Technical Tip: How to Limit Admin access for Remote LDAP Users using Group Filter
Description.
This article explains how to apply a Group Filter to LDAP Remote Authentication to limit admin login access to FortiAnalyzer or FortiManager to members of specific AD groups.
Expectations, Requirements
Objective:
Only users who are members of AD groups defined in the group filter can get admin access to Forti
Users from other AD group do not get access
Configuration
1. Active Directory configuration
AD groups and users
‘TestGroup1’ has member ‘group1user’
‘TestGroup2’ has member ‘group2user’
2. FortiAnalyzer/FortiManager configuration of LDAP server with group filter
For group filter, we need to put DN value of group
DN of 'testgroup1'- "cn=testgroup1,dc=mydomain01,dc=local"
Administrator
Verification
- Login with ‘group1user’ succeeds
Login with ‘group2user’ fails
To troubleshoot:
# diagnose debug application auth 25
# diagnose debug enabl