Technical Tip: LDAP: Using Active Directory Nested Groups to authorize system administrators

Description

This article provides the configuration required for recursive LDAP search in Microsoft Active Directory.
The purpose is to authorize the members of all subgroups by defining only the top level group in the FortiManager/FortiAnalyzer configuration.

Scope

FortiManager after 6.2.2.

FortiAnalyzer after 6.2.2.

Solution

Replace the default filter string in the FortiManager/FortiAnalyzer LDAP Server object, in order to allow searching in nested groups:

# config system admin ldap

  edit "<your_server_name_here>"

    ...

    set filter (|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))

    ...

  next

end

Note:

This is an Active Directory specific filter.

Other LDAP servers may support recursive search by default, or may require different filter syntax.

See this KB article: Technical Tip: LDAP - Configuring Active Directory groups as remote administrators in FortiManager and FortiAnalyzer for steps on how to authorize Active Directory groups as remote administrators. Scenario #2 will not work for the Nested Groups in this article.