Skip to main content
Altice
Altice
New Member
November 28, 2024
Question

LDAP AD Groups sequence validation

  • November 28, 2024
  • 2 replies
  • 810 views

Hello guys,

So basically my client wants to know if there is a way to force the fortigate to validate an AD group prior to all others, so that the users in that group (that belong to other groups also), may get the permissions set in that first group.

He wants to know if theres is any sequence in wich the fortigate does that, and if so how is it done, by alphbetical order?

 As an example /VPN GRUPO ANF/AD_VALIDA , whould this be verified before this one /VPN GRUPO ANF/BD_VALIDA

 

Thanks

2 replies

Renante_Era
Staff
Renante_Era
Staff
November 28, 2024

The connection is permitted based on the Firewall Policy which is evaluated from top to bottom. Let's say that an end-user login to SSLVPN and authentication were done through LDAP.
FortiGate forwards the credentials to the actual LDAP server which performs the actual validation.

Altice
AlticeAuthor
New Member
December 2, 2024

Thank you so much for the reply Renante

sjoshi
Staff
sjoshi
Staff
December 2, 2024

Hi,

 

You can setup the User group on the firewall policy and it will search from top to bottom.

Further while creating User group and selecting remote server, LDAP filter can be used to select specific CN

Thanks, Salon
    Terms & ConditionsAccessibility statement