Skip to main content
Grumman
Grumman
New Member
October 1, 2015
Solved

Captive Portal & OpenLDAP

  • October 1, 2015
  • 1 reply
  • 5920 views

I have successfully managed to configure FortiGate captive portal authentication through an OpenLDAP server on a 60D firewall.

 

Now the problem I am facing is that I made it to work with individual users that reside on the OpenLDAP server.

What I am trying to accomplish now is instead of having to add the LDAP users on FortiGate individually, I would like to have a group on the FortiGate that points to the same LDAP group and any users in that LDAP group to be able to go through the captive portal.

 

I have setup the group on both FortiGate and LDAP but when I am trying to login on the captive portal with a user account that belongs to that group on the LDAP, it says Authentication Failed.

 

Any ideas?

 

    Best answer by xsilver_FTNT

    Hello,

     

    default FGT LDAP server config looks for 'MemberOf' LDAP attribute to catch group membership. OpenLDAP usually do not have group membership presented in this LDAP attribute.

     

    Pay attention to 'group-member-check' and 'member-attr' in config user ldap / <LDAP-server> settings

     

    For example you can do following for usual OpenLDAP

    set group-member-check group-object

    set group-object-filter (&(objectclass=posixgroup)(memberuid=*))

     

    Best regards, Tomas

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNTAnswer
    Staff
    October 2, 2015

    Hello,

     

    default FGT LDAP server config looks for 'MemberOf' LDAP attribute to catch group membership. OpenLDAP usually do not have group membership presented in this LDAP attribute.

     

    Pay attention to 'group-member-check' and 'member-attr' in config user ldap / <LDAP-server> settings

     

    For example you can do following for usual OpenLDAP

    set group-member-check group-object

    set group-object-filter (&(objectclass=posixgroup)(memberuid=*))

     

    Best regards, Tomas

    Grumman
    GrummanAuthor
    New Member
    October 2, 2015

    Thanks for the reply Tomas!

     

    I have added the set group-member-check group-object & set group-object-filter (&(objectclass=posixgroup)(memberuid=*)) as suggested but it did not make a difference...

     

    I have also changed set member-attr "MemberOf" to the corresponding LDAP group which in this case is "WiFi-Users" but still no authentication...

     

    any other thoughs?

    Terms & ConditionsAccessibility statement