Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎02-27-2024 09:52 AM Edited on ‎01-12-2026 01:09 AM By Community Manager

Article Id 301679

Troubleshooting Tip: LDAP user is unable to login to FortiGate using a wildcard admin profile

Description This article describes how to resolve login issues with LDAP while using a wildcard admin profile. When multiple wildcard admin profiles are enabled on FortiGate, FortiGate will check only one wildcard admin profile. This means that the user must be a member of the LDAP group that has been enabled under the wildcard admin profile, as the user will otherwise be unable to log in to FortiGate.
Scope FortiGate.
Solution

FortiGate does not support multiple wildcard admin profiles on FortiOS.
The user must be a member of the LDAP group that has been enabled under the wildcard admin profile.

Only a single wildcard admin is required for each VDOM; otherwise, the authentication will only be done towards the group with the most alphabetical order preference. Having a 'Global wildcard admin user' will be present in all VDOMs; thus, if the name of the group will make it the 1st in the list, it will be the only one matched for wildcard users. This is also true when wildcard users refer to user groups that belong to different servers (RADIUS, LDAP, or TACACS). It is recommended to have each Firewall administrator as a 'remote' only 'Match a user on remote server Group'.

 

Below is an example of an admin configuration with different wildcard admin profiles. It shows the authentication result while using the debugging output when trying to log in to the GUI with a different LDAP username:

 

config user ldap

    edit "fortiserver.com"

        set server "10.181.3.175"
        set cnid "sAMAccountName"
        set dn "dc=fortiserver,dc=com"
        set type regular
        set username "fortiserver\\Administrator"
        set password <password>

    next

end

 

config system admin

    edit "ldap.admins-1"

        set remote-auth enable
        set accprofile "prof_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "ldap.group-1"

    next
    edit "ldap.admins-2"

        set remote-auth enable
        set accprofile "prof_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "ldap.group-2"

    next

end

 

config user group

    edit "ldap.group-1"

        set member "fortiserver.com"

            config match

                edit 1

                    set server-name "fortiserver.com"

                    set group-name "CN=ldap.group,DC=fortiserver,DC=com"

                next

            end

    next

    edit "ldap.group-2"

        set member "fortiserver.com"

            config match

                edit 1

                    set server-name "fortiserver.com"

                    set group-name "CN=radius.groups,DC=fortiserver,DC=com"

                next

            end

    next

end

 

As per LDAP authentication, LDAP users 'zilan' and 'shah' are members of different LDAP groups:

 

diagnose test authserver ldap fortiserver.com zilan Zi569896ytrfin
authenticate 'zilan' against 'fortiserver.com' succeeded!
Group membership(s) - CN=fsso.group,DC=fortiserver,DC=com
CN=ldap.group,DC=fortiserver,DC=com


diagnose test authserver ldap fortiserver.com shah kh52648tyhjopt
authenticate 'shah' against 'fortiserver.com' succeeded!
Group membership(s) - CN=radius.groups,DC=fortiserver,DC=com


Enable debugging via the CLI:

 

diagnose debug disable
diagnose debug reset
diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.

diagnose debug application httpsd -1
Debug messages will be on for 30 minutes.

diagnose debug console timestamp enable
diagnose debug enable

 

Once the user tries to log in to the GUI using the LDAP username 'zilan', FortiGate checks only the LDAP group enabled under the first wildcard admin profile 'ldap.admins-1':

 

Spoke1-Master (global) # 2024-02-27 17:55:45 [httpsd 25543 - 1709052945 info] fweb_debug_init[417] -- New POST request for "/logincheck" from "172.26.61.48:59021"
2024-02-27 17:55:45 [httpsd 25543 - 1709052945 info] fweb_debug_init[419] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"
2024-02-27 17:55:45 [httpsd 25543 - 1709052945 info] fweb_debug_init[421] -- Handler "logincheck-handler" assigned to request
2024-02-27 17:55:45 [httpsd 25543 - 1709052945 info] logincheck_handler[421] -- entering vdom for login_attempt (vdom='root')
2024-02-27 17:55:45 [1916] handle_req-Rcvd auth req 1866462246 for zilan in ldap.group-1 opt=00014001 prot=11 <<<----------
2024-02-27 17:55:45 [475] __compose_group_list_from_req-Group 'ldap.group-1', type 1
2024-02-27 17:55:45 [616] fnbamd_pop3_start-zilan <<<----------
2024-02-27 17:55:45 [378] radius_start-Didn't find radius servers (0)
2024-02-27 17:55:45 [754] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-02-27 17:55:45 [1717] fnbamd_ldap_init-search filter is: sAMAccountName=zilan
2024-02-27 17:55:45 [1727] fnbamd_ldap_init-search base is: dc=fortiserver,dc=com
2024-02-27 17:55:45 [1149] __fnbamd_ldap_dns_cb-Resolved fortiserver.com:10.125.3.175 to 10.125.3.175, cur stack size:1
2024-02-27 17:55:45 [924] __fnbamd_ldap_get_next_addr-
2024-02-27 17:55:45 [1154] __fnbamd_ldap_dns_cb-Connection starts fortiserver.com:10.125.3.175, addr 10.125.3.175
2024-02-27 17:55:45 [879] __fnbamd_ldap_start_conn-Still connecting 10.125.3.175.


Then, when the user tries to log in to the GUI using the LDAP username 'shah', FortiGate will check only the LDAP group enabled under the first wildcard admin profile 'ldap.admins-1' and will ignore the other wildcard admin profile 'ldap.admins-2':

 

Spoke1-Master (root) # 2024-02-27 18:00:26 [httpsd 25586 - 1709053226 info] fweb_debug_init[417] -- New POST request for "/logincheck" from "172.26.61.48:59285"
2024-02-27 18:00:26 [httpsd 25586 - 1709053226 info] fweb_debug_init[419] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"
2024-02-27 18:00:26 [httpsd 25586 - 1709053226 info] fweb_debug_init[421] -- Handler "logincheck-handler" assigned to request
2024-02-27 18:00:26 [httpsd 25586 - 1709053226 info] logincheck_handler[421] -- entering vdom for login_attempt (vdom='root')
2024-02-27 18:00:26 [1916] handle_req-Rcvd auth req 1866462250 for shah in ldap.group-1 opt=00014001 prot=11 <<<----------
2024-02-27 18:00:26 [475] __compose_group_list_from_req-Group 'ldap.group-1', type 1
2024-02-27 18:00:26 [616] fnbamd_pop3_start-shah <<<----------
2024-02-27 18:00:26 [378] radius_start-Didn't find radius servers (0)
2024-02-27 18:00:26 [754] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-02-27 18:00:26 [1717] fnbamd_ldap_init-search filter is: sAMAccountName=shah
2024-02-27 18:00:26 [1727] fnbamd_ldap_init-search base is: dc=fortiserver,dc=com
2024-02-27 18:00:26 [1149] __fnbamd_ldap_dns_cb-Resolved fortiserver.com:10.125.3.175 to 10.125.3.175, cur stack size:1
2024-02-27 18:00:26 [924] __fnbamd_ldap_get_next_addr-
2024-02-27 18:00:26 [1154] __fnbamd_ldap_dns_cb-Connection starts fortiserver.com:10.125.3.175, addr 10.125.3.175
2024-02-27 18:00:26 [879] __fnbamd_ldap_start_conn-Still connecting 10.125.3.175.
2401
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.