Skip to main content
pksubramanian
Staff
pksubramanian
Staff
March 4, 2020

Troubleshooting Tip: Group membership check fails with FortiAuthenticator as an LDAP server

  • March 4, 2020
  • 0 replies
  • 1353 views

Description


This article describes how to troubleshoot a situation where a group membership check fails when using FortiAuthenticator as an LDAP server.

 

Scope

 

FortiAuthenticator, FortiManager.

Solution


If FortiAuthenticator is configured as an LDAP server, an issue may occur where authentication seems to work as intended but fails only when trying authorize a user based on a group membership check.

 

Ensure the user showing up on the FortiAuthenticator LDAP Directory Tree was manually added into the user group:

Stephen_G_2-1669219015504.png

 

In the above example, the user 'test3' is mapped under the LDAP directory tree.

Stephen_G_1-1669219012413.png
 
However, 'test3' is not automatically added to the group. Add the user to the group as shown below.
 
Stephen_G_0-1669219009914.png
FortiAuthenticator does not automatically add users mapped under LDAP into user groups. This must be done manually.

 

Further Troubleshooting

 

The following diagnostic commands can be used for live debugging on FMG/FAZ while reproducing the logon issue:

 

# diag debug application fnbam 255  <- For FortiManager 6.4.2 and below

# diag debug application auth 255   -> For FortiManager 6.4.3 and above

Terms & ConditionsAccessibility statement