Skip to main content
Piotras
Piotras
New Member
October 9, 2014
Solved

LDAP Query

  • October 9, 2014
  • 3 replies
  • 44071 views
I have configured authentication for FSSO and i want create the report in FortiAnalyzer where user belongs to a particular group or organizational unit. Theoretically, i may use an LDAP Query, however, it is nowhere described as the benefit from this. Does anyone know how this works? FortiGate 5.2 FortiAnalyzer 5.2 FSSO 4.3.0156 - AD access mode: standard Regards
    Best answer by hzhao_FTNT

    Yes, we verified it OK on 5.6.1 release.

    3 replies

    hzhao_FTNT
    Staff
    hzhao_FTNT
    Staff
    October 9, 2014
    1. Add and configue a LDAP server in GUI, please refer to: http://docs.fortinet.com/d/fortianalyzer-5.2.0-administration-guide Page 83 2. More advanced setting for ldap server in CLI if needed, please refer to: http://docs.fortinet.com/d/fortianalyzer-5.2.0-cli-reference Page 34 3. Enable LDAP query and apply group filter in report setting: http://docs.fortinet.com/d/fortianalyzer-5.2.0-administration-guide Page 170 4. Run report Regards, hz
    Piotras
    PiotrasAuthor
    New Member
    October 10, 2014
    That' s what I did, but it didn' t work. I run a sniffer on the FAZ, and when I run the report I don' t see any traffic to Active Directory. config system admin ldap edit " Test" set server " 10.48.7.100" set cnid " cn" set dn " DC=domena,DC=wew" set type regular set username " CN=sc_FG,OU=Fortigate,OU=Systemy,DC=domena,DC=wew" set password ENC * set adom " all_adoms" next end
    hzhao_FTNT
    Staff
    hzhao_FTNT
    Staff
    October 10, 2014
    Hi Piotras, 1. Please check if you can query distinguished name in GUI. 2. Please check ldap server config again under CLI: conf sys admin ldap edit test get If filter and attributes are none, please set a proper value according to your ldap server config, for example: set filter (|(objectclass=person)(objectclass=user)) set attributes member,uniquemember end 3. Please disable case change, this feature is not functional because of a bug. Regards, hz
    Piotras
    PiotrasAuthor
    New Member
    October 12, 2014
    Ad. 1 I can query distinguished name from GUI. Ad. 2 This is configuration LDAP from CLI: (Test)# get name : Test server : 10.48.7.100 cnid : cn dn : DC=domain,DC=local port : 389 type : regular username : * password : * group : (null) filter : (|(objectclass=person)(objectclass=user)) attributes : member,uniquemember secure : disable connect-timeout : 500 adom: == [ all_adoms ] adom-name: all_adoms Ad. 3 I disabled case change, but nothing has changed. Certainly in version 5.2, this functionality works correctly?
    hzhao_FTNT
    Staff
    hzhao_FTNT
    Staff
    October 14, 2014
    Hi Piotras, The basic LDAP feature should be working OK in 5.2.0 B618. Could you request a customer ticket and post your ticket number here? We may need look into your case closer. Regards, hz
    Terms & ConditionsAccessibility statement