Skip to main content
mikaellorenzo12
mikaellorenzo12
New Member
September 23, 2019
Question

Policy not working on connected Zentyal LDAP server

  • September 23, 2019
  • 1 reply
  • 6786 views

We already connected the AD of Zentyal server using the LDAP, but the policy is not working for the users. We use FSSO client for the connection but the fsso client can't see the logged on users.

 

Can someone help me? Thanks!.

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    September 23, 2019

    Hi,

    how about some more complete config overview or config snippets?

    It's completely unclear if your policy is normal firewall or explicit proxy policy. If group you have mentioned is LDAP or FSSO type. And also what is supposed to be authenticated with that group.

     

    If it's FSSO, then you need connection first to get authenticated somewhere where SSO Agent or Collector can spot and process logon and create respective FSSO user record on collector and push it to connected FortiGates.

    So if group is FSSO then you should have users in 'diag debug auth fsso list' and as fsso type in 'diag fire auth list'. If you do not have FSSO users, then there is problem in SSO setup.

     

    If you use those groups in any active auth for VPN or WLC then those can not be SSO.

    mikaellorenzo12
    mikaellorenzo12Author
    New Member
    September 24, 2019

    i can see my DC so my fortigate and AD server are connected, but i cant see who is logged on. I only do in my fortigate is LDAP connection and i follow all tutorial online, i don't know why i can't see the users who logged in

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    September 24, 2019

    If you do have just one DC 192.168.3.13 then I would guess that you do not audit successful logons on DC.

    If you do have more than this one DC 192.168.3.13 handling your domain and you run in DCAgent mode as presence of agent suggests, then you need DCAgents installed on all the DC servers.

    If you do  ping -4 -n 2 %logonserver:~2%  from your workstation then you should see IP of the DC used by workstation for login verification. So if you do see 192.168.3.13 then logon server was chosen OK and you should see user logon data also in Windows Security Event log. If you do not see any logon event, then audit is disabled.

     

    Terms & ConditionsAccessibility statement