Skip to main content
xsilver_FTNT
Staff
xsilver_FTNT
Staff
August 8, 2018

Technical Tip: LDAP Nested Group settings and changes in FortiOS v5.6, v6.0 and v6.2

  • August 8, 2018
  • 0 replies
  • 19078 views

Description

 

This article describes how to modify the LDAP Nested group settings. 

In order to authenticate a user via LDAP while the user is not a direct member of the group, but a member of a nested group, set FortiGate so that it will be able to check for nested groups inside LDAP.

By default, any nested group check support is disabled.

On the previous versions of FortiOS, the 'set search-type nested' option was available, but on FortiOS v5.6 and v6.0 are not available.

In FortiOS v5.6 and v6.0, 'search-type nested' was replaced with 'extended group-filter'.

However, in FortiOS v6.2, 'search-type recursive' is available.

These limitations are resolved in 7.0+; use recursive mode instead of chaining 'extended group-filter'.

Note: The option'nested' is replaced with 'recursive'.

 

Scope

 

FortiGate.


Solution


On FortiOS v5.6 and v6.0 the 'search-type nested' option was replaced with a more flexible group-filter setting in LDAP user configuration.

 

config user ldap
    edit "LDAP-AD-SERVER"
        set <other necessary settings like server,dn etc>
        set group-filter "(|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))"
end

 

Since FortiOS v6.2.0, there is a 'search-type recursive' in the user LDAP config, and this option is still in the CLI only.
It brings similar results as the older 'nested' option, but in contrast to group-filter, the results do not contain AD Builtin (CN=Builtin,DC=YourDomain..) user groups. See examples in the verification section.

 

config user ldap
    edit "LDAP-AD-SERVER"
        set search-type recursive
end

 

FortiOS upgrade to v6.2:

  1. Group-filter option is not automatically changed to recursive search-type during the upgrade process, because group-filter might be more customized than the above mentioned simple example.

  2. Group-filter option used in FortiOS 5.6-6.0 is still valid in FortiOS 6.2 and works as before, so there is no changes needed manually.

  3. Once search-type is set, group-filter option will be hidden and disabled! So use either a simple search-type or a complex group filter.

  4. Another point of view is CPU load on DC, as the group-filter is passed to LDAP in a query and all the group processing is done by DC, which might be CPU-intensive if the filter is not specific enough. Search-type option make fnbamd to issue subsequent queries to resolve group nesting, and this is lighter on DC, but more intensive in network traffic and CPU usage on the FortiGate side.

  5. Search-type recursive at the moment does not resolve groups nested under the primary user group. If it is needed, use the group filter as mentioned above, even on FortiOS v6.2.
 
The following is an example of the configuration.
 
Diagram:
User 'Test-nested' is a member of group 'grp-nested-L2'.
Group 'grp-nested-L2' is a member of 'grp-nested-L1'.
Group 'grp-nested-L1' is a member of 'grp-nested-L0'.
 
Configuration GUI:
Group filtering is not configurable in the GUI; it can only be configured in the CLI.
 
Configuration CLI, FortiOS v5.6 and v6.0:
 
config user ldap
    edit "C24_ALFA.XSILVER.ORG"
        set server "10.109.19.88"
        set cnid "cn"
        set dn "dc=alfa,dc=xsilver,dc=org"
        set type regular
        set username "cn=administrator,cn=users,dc=alfa,dc=xsilver,dc=org"
        set password supersecretpassword
        set group-filter "(|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))"
    next
end
 
Configuration CLI, FortiOS v6.2:
 
config user ldap
    edit "C24_ALFA.XSILVER.ORG"
        set server "10.109.19.88"
        set cnid "cn"
        set dn "dc=alfa,dc=xsilver,dc=org"
        set type regular
        set username "cn=administrator,cn=users,dc=alfa,dc=xsilver,dc=org"
        set password supersecretpassword
        set search-type recursive
    next
en
 
Configuration CLI, FortiOS v7.0+:
 
config user ldap
    edit "AD-LDAP"
        set server "10.1.1.100"
        set cnid "cn"
        set dn "dc=example,dc=com"
        set type regular
        set secure ldaps
        set port 636
        set username "cn=service,cn=users,dc=example,dc=com"
        set password <password>
        set member-attr "memberOf" # Primary groups
        set group-member-attr "memberOf"
        set group-search-type recursive # Key new option: recursive (default), iterative, or chained
        set group-filter "(objectClass=group)" # Optional refinement
    next
end
 
Verification of Configuration and troubleshooting:
Use the configuration in the example of FortiOS v5.6/v6.0 and the described LDAP structure. When doing test authserver LDAP with the group filter handling nested groups, all the groups from the nested chain will be displayed.
 
diagnose test authserver ldap C24_ALFA.XSILVER.ORG test-nested tester
 
authenticate 'test-nested' against 'C24_ALFA.XSILVER.ORG' succeeded
Group membership(s) - CN=Domain Users,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=Users,CN=Builtin,DC=alfa,DC=xsilver,DC=org
                      CN=Remote Desktop Users,CN=Builtin,DC=alfa,DC=xsilver,DC=org
                      CN=grp-nested-L0,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=grp-nested-L1,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=grp-nested-L2,CN=Users,DC=alfa,DC=xsilver,DC=org
 
Without a group-filter, it will only display groups that the user is a direct MemberOf (grp-nested-L2, especially in this test case).
 
diagnose test authserver ldap C24_ALFA.XSILVER.ORG test-nested tester
 
authenticate 'test-nested' against 'C24_ALFA.XSILVER.ORG' succeeded!
 
Group membership(s) - CN=grp-nested-L2,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=Domain Users,CN=Users,DC=alfa,DC=xsilver,DC=org
 
When the group-filter is removed, and search-type recursive is used, as in the config example from FortiOS v6.2, it will display all the custom and nested groups as before. However, it will not display any AD Builtin groups (compare outputs and pay attention to 'CN=Users,CN=Builtin' and 'CN=Remote Desktop Users, CN=Builtin' groups).
 
diagnose test authserver ldap LDAP-C24-ALFA test-nested tester

authenticate 'test-nested' against 'LDAP-C24-ALFA' succeeded!

Group membership(s) - CN=grp-nested-L2,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=Domain Users,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=grp-nested-L1,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=grp-nested-L0,CN=Users,DC=alfa,DC=xsilver,DC=orgSample fnbamd debug output is as follows:
 
diagnose debug application fnbamd 7
diagnose debug enable
diagnose test authserver ldap LDAP-C24-ALFA test-nested tester
[2273] handle_req-Rcvd auth req 588851107 for test-nested in LDAP-C24-ALFA opt=0000001b prot=0
[614] fnbamd_pop3_start-test-nested
[1042] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'LDAP-C24-ALFA'
[1662] fnbamd_ldap_init-search filter is: cn=test-nested
[1671] fnbamd_ldap_init-search base is: dc=alfa,dc=xsilver,dc=org
[1019] __fnbamd_ldap_dns_cb-Resolved LDAP-C24-ALFA(idx 0) to 10.109.19.88
[1087] __fnbamd_ldap_dns_cb-Still connecting.
[557] create_auth_session-Total 1 server(s) to try
[969] __ldap_connect-tcps_connect(10.109.19.88) is established.
[204] __ldap_build_bind_req-Binding to 'administrator@alfa.xsilver.org'
[937] fnbamd_ldap_send-Request is sent. ID 1
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[864] fnbamd_ldap_parse_response-ret=0
[910] __ldap_rxtx-Change state to 'DN search'
[592] fnbamd_ldap_build_dn_search_req-base:'dc=alfa,dc=xsilver,dc=org' filter:cn=test-nested
[937] fnbamd_ldap_send-Request is sent. ID 2
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[864] fnbamd_ldap_parse_response-ret=0
[1180] __fnbamd_ldap_dn_entry-Get DN 'CN=test-nested,CN=Users,DC=alfa,DC=xsilver,DC=org'
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[910] __ldap_rxtx-Change state to 'User Binding'
[437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=test-nested,CN=Users,DC=alfa,DC=xsilver,DC=org'
[204] __ldap_build_bind_req-Binding to 'CN=test-nested,CN=Users,DC=alfa,DC=xsilver,DC=org'
[937] fnbamd_ldap_send-Request is sent. ID 3
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[864] fnbamd_ldap_parse_response-ret=0
[910] __ldap_rxtx-Change state to 'Attr query'
[490] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'
[502] fnbamd_ldap_build_attr_search_req-base:'CN=test-nested,CN=Users,DC=alfa,DC=xsilver,DC=org' filter:cn=*
[937] fnbamd_ldap_send-Request is sent. ID 4
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry
[864] fnbamd_ldap_parse_response-ret=0
[553] __get_member_of_groups-Get the memberOf groups.
[519] __retrieve_group_values-Get the memberOf groups.
[530] __retrieve_group_values- attr='memberOf', found 1 values
[539] __retrieve_group_values-val[0]='CN=grp-nested-L2,CN=Users,DC=alfa,DC=xsilver,DC=org'
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[1260] __fnbamd_ldap_attr_next-Entering CHKPRIMARYGRP state
[910] __ldap_rxtx-Change state to 'Primary group query'
[526] fnbamd_ldap_build_primary_grp_search_req-starting primary group check...
[530] fnbamd_ldap_build_primary_grp_search_req-number of sub auths 5
[548] fnbamd_ldap_build_primary_grp_search_req-base:'dc=alfa,dc=xsilver,dc=org' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\bb\f4\90\f4\30\bd\1f\79\0b\35\92\63\01\02\00\00))
[937] fnbamd_ldap_send-Request is sent. ID 5
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-entry
[864] fnbamd_ldap_parse_response-ret=0
[470] __get_one_group-group: CN=Domain Users,CN=Users,DC=alfa,DC=xsilver,DC=org
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[910] __ldap_rxtx-Change state to 'User recursive group query'
[735] fnbamd_ldap_build_recursive_grp_search_req-base:'dc=alfa,dc=xsilver,dc=org' filter:(&(objectclass=group)(|(distinguishedName=CN=grp-nested-L2,CN=Users,DC=alfa,DC=xsilver,DC=org)))
[937] fnbamd_ldap_send-Request is sent. ID 6
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:6, type:search-entry
[864] fnbamd_ldap_parse_response-ret=0
[519] __retrieve_group_values-Get the memberOf groups.
[530] __retrieve_group_values- attr='memberOf', found 1 values
[539] __retrieve_group_values-val[0]='CN=grp-nested-L1,CN=Users,DC=alfa,DC=xsilver,DC=org'
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:6, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:6, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:6, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:6, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[372] __ldap_grp_list_need_more_check-Group 'CN=grp-nested-L1,CN=Users,DC=alfa,DC=xsilver,DC=org' is not checked
[910] __ldap_rxtx-Change state to 'User recursive group query'
[735] fnbamd_ldap_build_recursive_grp_search_req-base:'dc=alfa,dc=xsilver,dc=org' filter:(&(objectclass=group)(|(distinguishedName=CN=grp-nested-L1,CN=Users,DC=alfa,DC=xsilver,DC=org)))
[937] fnbamd_ldap_send-Request is sent. ID 7
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:7, type:search-entry
[864] fnbamd_ldap_parse_response-ret=0
[519] __retrieve_group_values-Get the memberOf groups.
[530] __retrieve_group_values- attr='memberOf', found 1 values
[539] __retrieve_group_values-val[0]='CN=grp-nested-L0,CN=Users,DC=alfa,DC=xsilver,DC=org'
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:7, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:7, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:7, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:7, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[372] __ldap_grp_list_need_more_check-Group 'CN=grp-nested-L0,CN=Users,DC=alfa,DC=xsilver,DC=org' is not checked
[910] __ldap_rxtx-Change state to 'User recursive group query'
[735] fnbamd_ldap_build_recursive_grp_search_req-base:'dc=alfa,dc=xsilver,dc=org' filter:(&(objectclass=group)(|(distinguishedName=CN=grp-nested-L0,CN=Users,DC=alfa,DC=xsilver,DC=org)))
[937] fnbamd_ldap_send-Request is sent. ID 8
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:8, type:search-entry
[864] fnbamd_ldap_parse_response-ret=0
[519] __retrieve_group_values-Get the memberOf groups.
[524] __retrieve_group_values-attr='memberOf' - found 0 values
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:8, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:8, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:8, type:search-reference
[864] fnbamd_ldap_parse_response-ret=0
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:8, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[1420] __fnbamd_ldap_recursive_grp_next-Auth accepted
[910] __ldap_rxtx-Change state to 'Done'
[937] fnbamd_ldap_send-Request is sent. ID 9
[3053] fnbamd_ldap_result-Result for ldap svr 10.109.19.88 is SUCCESS
[3067] fnbamd_ldap_result-Skipping group matching
[989] find_matched_usr_grps-Skipped group matching
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 588851107
[713] destroy_auth_session-delete session 588851107

authenticate 'test-nested' against 'LDAP-C24-ALFA' succeeded!

Group membership(s) - CN=grp-nested-L2,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=Domain Users,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=grp-nested-L1,CN=Users,DC=alfa,DC=xsilver,DC=org
                      CN=grp-nested-L0,CN=Users,DC=alfa,DC=xsilver,DC=org

 

Related documents:

Technical Tip: LDAP Nested Group authentication for SSL VPN

LDAP 

Terms & ConditionsAccessibility statement