LDAP Auth only works with Pre-Win2K username

Forum|Forum|12 years ago
September 3, 2013
3 replies
5328 views

Hi guys After we went to 5.0.4 we want to implement the LDAP Authentication for our SSL VPN users. A big problem we found, it' s only possible to authenticate with the " Pre-Windows 2000" user credentials. With the normal AD username it' s not possible. For example, all our users have the Username like this: m.name followed from the domain @example.ads and the old Pre-Windows 2000 username are just the initials from each user like mn in this example. So domain followed by the username " domain\mn" . When we test the LDAP authentication for the users, we can authenticate only with the Pre-Windows 2000 username. Fortigate-110C # diag test authserver ldap AD1 mn password authenticate ' mn' against ' AD1' succeeded! Fortigate-110C # diag test authserver ldap AD1 m.name password authenticate ' m.name' against ' AD1' failed! Fortigate-110C # diag test authserver ldap AD1 m.name@domain.ads password authenticate ' m.name@domain.ads' against ' AD1' failed! Any suggestions?

Wayne11Author

Explorer

If we set cnid " userPrincipalName" on the LDAP server we can' t authenticate, it works only with " sAMAccountName" . Has anyone got it to work with the UPN?

  Fortigate-110C (BACKUP) # get  name                : BACKUP   server              : 172.17.36.50   secondary-server    :   tertiary-server     :   source-ip           : 0.0.0.0  cnid                : userPrincipalName   dn                  : DC=domain,DC=ads   port                : 389  type                : regular   username            : CN=ldap,OU=Dienstkonten,OU=Benutzer,OU=Gellen,DC=domain,DC=ads   password            : *  group-member-check  : user-attr   secure              : disable   password-expiry-warning: disable   password-renewal    : disable   member-attr         : memberOf

Wayne11Author

Explorer

Finally I' ve got it to work

We had to create the user on the FG with the full principalname as well !!! If I create a user like m.name@domain.com and link it to the LDAP server with configured Common Name Identifier " userPrincipalName" , then it works!

Dipen

New Member

Hi Does that mean if I have 1000 Users in AD Domain..then I have to create 1000 users locally in Fortigate

You already needed to do that for assigning FortiToken to AD Users......Now I come to know to know that setting CNID to userPrincipalName dosent either work..

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded