Skip to main content
FortiKoala
Staff
FortiKoala
Staff
October 9, 2018

Technical Tip: User not matching policy requiring LDAP Group

  • October 9, 2018
  • 0 replies
  • 2879 views

Description

 
This article describes a use case where a user does not match a User Host Profile that requires an LDAP group. As a result, the policy fails to match.


Scope

 

FortiNAC.

Solution

 

Verify the following:

  1. Ensure the user record is an LDAP user and not a local record. 

Admin Users.
UI Method: User account has Auth Type = LDAP.  This can be verified under Users & Hosts -> Administrators.
CLI Method:

 

DumpUserRecords -userid <username> | grep -i AuthenticateType


If something other than LDAP is returned, it is not an LDAP record.

 

Standard Users.
UI Method:

  1. Navigate to Users & Hosts -> User Accounts.  
  2. Search for the user record.
  3. 'Right-click' and select Modify User.

 

If the record contains a modifiable password field, the record is a local record, not LDAP.       

CLI Method:

 

DumpUserRecords -userid <username> | grep -i AuthenticateType                 

 

If something other than LDAP is returned, it is not an LDAP record.

 

  1. The user has group membership in Active Directory for the group used in the User Host Profile.

  2. The user is searchable using System -> Settings -> Authentication -> LDAP -> Preview.

  3. The group used in the User Host Profile is selected under System -> Settings -> Authentication -> LDAP -> Modify -> Select Groups.

  4. A resync of the Directory has been performed under System -> Scheduler -> Synchronize Users with Directory'.

     


If the user exists as a local record, the following steps are required:

 

  1. Navigate to Users & Hosts -> Administrators or Users & Hosts -> User Accounts and delete the user account.
  2. Re-add the user by clicking Add and entering the User ID. If found in the directory, the system will indicate that the User ID was found in the directory. 

 

Contact Support for additional assistance. Open a support ticket and include the following:

  • Problem description.
  • Steps taken to troubleshoot the issue.
  • Screen capture of Policy Details (Search host under Hosts -> Host View, 'right-click' on host and select Policy Details).
  • Screen capture of Policy host is supposed to match (Policy -> Policy Configuration).
  • Screen capture of the User Host Profile used by the policy.
  • Screen capture of Help -> About.
  • Output of DumpUserRecords -id <username>.

 

Related articles:

Technical Tip: What causes a host to be moved to an imported LDAP Host Group

Technical Tip: Best practices for LDAP configuration

Technical Tip: Lookup a user in LDAP from CLI

Technical Tip: How FortiNAC 'Registered Hosts' Group Works

Technical Tip: Import users from Active Directory group

Terms & ConditionsAccessibility statement