LDAP access with sAMAccountName

hi, a bit late, but maybe this still helps. I' m running 3.0MR5p2 (568) and have successfully configured that. I can login (IPSEC with XAUTH to MS-AD via LDAP in my case) with samaccountname. Although it was a bit tricky because of the unclear documentation. Additionally in my config group membership is checked. In short: You have to configure the cnid (cn) variable as samaccountname. in the cli:

  config user ldap  edit ad_ldap  set server " dc.mydomain.at"   set dn " DC=mydomain,DC=at"   set cnid samaccountname  set dn " DC=mydomain,DC=at"   set type regular  set username " CN=ldapsearch,OU=toolbox,DC=mydomain,DC=at"   set password xxx  set group " CN=ipsecdialup,OU=toolbox,DC=mydomain,DC=at"   set filter (&(objectcategory=group)(objectclass=group)(member=*))  next  end  

you have to provide a user (his dn) to search the ldap tree (ldapsearch here) and the search base (dn var). debug helped me a lot.

  diagnose debug application fnbamd –1  diagnose debug enable  

regards

hello, Many thanks for the info :) I have also setup IPSEC with XAuth as above and it is working, ... however on some occasions the authentication doesn' t succeed 1st time. I know the username and password is entered correctly because this has been saved, so the same credentials are used each time. I am using the FortiClient software to dial-in remotely. I have also got this working with SSL VPNs and notice a similar issue. Has anybody else experienced similar issues? Kind Regards.

Does anybody else experience a failed login attempt occasionally when using ssl vpn / ipsec (forticlient) when the XAuth is forwarded to an external LDAP server (e.g. Active Directory) ... even when the login credentials are entered correctly? I am testing with a Fortigate 60. Do you think this might be an issue with the hardware of the firewall? Kind Regards.

I think I have found the reason. I was running Windows 2003 Server in a Virtual Machine. I have now installed this on it' s own dedicated box and am not seeing this issue any more :) Hope that may be useful for anybody else seeing similar issues in their testing. Regards.

Just an add-on to wozu' s explanation (Thanks!): It looks like the AD Server requires authentication (set type regular, username & password) if you query other LDAP attributes than CN - so for cnid=samaccountname, you HAVE to authenticate to the AD Server! Cheers, carsten

This is one fantastic thread!!!!!! Worked like a charm and saved me a ton of time.

set filter (&(objectcategory=group)(objectclass=group)(member=*))

Great information though I still cannot get authentication with Active Directory groups to work. I have created a new OU with two new groups with test accounts with the configuration from this thread. No luck. The debug looks like this: fnbamd_ldap.c[612] fnbamd_ldap_get_result-Going to SEARCH state fnbamd_fsm.c[933] poll_auth-Continue pending for req 10 fnbamd_ldap.c[183] get_all_dn-Found no DN fnbamd_ldap.c[202] start_next_dn_bind-No more DN left fnbamd_ldap.c[555] fnbamd_ldap_get_result-No more DN fnbamd_ldap.c[686] fnbamd_ldap_get_result-Going to DONE state res=1 fnbamd_auth.c[961] fnbamd_auth_poll-Result for ldap svr x.x.x.x is denied fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 10 authenticate ' groupatest' against ' SSLGroupA' failed! I successfully authenticate with LDAP against an OU without groups, but I need to be able to use group membership for different users. What I am missing? Thanks!

fnbamd_ldap.c[183] get_all_dn-Found no DN fnbamd_ldap.c[202] start_next_dn_bind-No more DN left fnbamd_ldap.c[555] fnbamd_ldap_get_result-No more DN

Seems like you did not define the base to start the search from, i.e. the root of your LDAP Directory, " DC=domain,DC=com" ? You need that for searching through the tree... regards

Followed the directions as outlined in this thread. (Thanks for those!) Here is what I got from the diag command. fnbamd_fsm.c[934] handle_req-Rcvd 7 req fnbamd_acct.c[274] fnbamd_acct_start_STOP-Invalid params fnbamd_fsm.c[443] create_acct_session-Error start acct type 7 fnbamd_fsm.c[939] handle_req-Error creating acct session 7 Here' s what the config looks like for me. show config user ldap edit " xxxxx.com" set server " 192.168.xxx.xxx" set cnid " samaccountname" set dn " DC=xxxxx,DC=xxxxx" set type regular set username " CN=ldap,CN=Users,DC=xxxxx,DC=xxxx" set password ENC 9yLWW7OgSLo19Y+NBvb3saYDNQauMQKkQgJtgjnQnexYE0I7xAyXEf9AAWvHYw7Va654BUFIjfRi3MP82cgaldQZz8nXal7O1hBPDHY1F9ZOzrTn set group " cn=ldap_query,CN=Users,DC=xxxxx,DC=xxxxxx" set filter " (&(objectcategory=group)(objectclass=group)(member=*))" next end Any ideas on what I' m missing. Thanks for your help in advance.

fnbamd_fsm.c[934] handle_req-Rcvd 7 req fnbamd_acct.c[274] fnbamd_acct_start_STOP-Invalid params fnbamd_fsm.c[443] create_acct_session-Error start acct type 7 fnbamd_fsm.c[939] handle_req-Error creating acct session 7

never seen that but my interpretation would be, it never comes to a connection to the ldap server because of an error before. maybe wrong group/user setup on the FGT? so the posted config would never come into play, althoug looks like correct... regards