Troubleshooting Tip: LDAP user is unable to login to FortiGate using a wildcard admin profile

FortiGate does not supporting multiple wildcard admin profiles on FortiOS. FortiGate will check only one wildcard admin profile and will ignore the other wildcard admin profiles when matching the admin, making it necessary for the user to be a member of the LDAP group which has been enabled under the wildcard admin profile.

Below is an example of an admin configuration with different wildcard admin profiles. It shows the authentication result while using the debugging output when trying to login to the GUI with a different LDAP username:

config user ldap

edit "fortiserver.com"

set server "10.181.3.175"
set cnid "sAMAccountName"
set dn "dc=fortiserver,dc=com"
set type regular
set username "fortiserver\\Administrator"
set password ENC MTAwNEK0nZ4AzN4lxgeilv4W+c21JQ2cMJEluyJDEZmbEtwhA6Ca1wfq121gam7/KrAA+I5zjDqTqn/KvG6/3eLMcxQXVkDRVcvb750NbyWEKHiRBlvdUC8dp+nCENuqShKcS4WSJKB9wXSZAZbXrAU4WoYxb3PrVwsMb0XIMMR+Sy8H9t+Z/o4/yr1i8+OIQcCxZw==

next

end

config system admin

edit "ldap.admins-1"

set remote-auth enable
set accprofile "prof_admin"
set vdom "root"
set wildcard enable
set remote-group "ldap.group-1"

next
edit "ldap.admins-2"

set remote-auth enable
set accprofile "prof_admin"
set vdom "root"
set wildcard enable
set remote-group "ldap.group-2"

next

end

config user group

edit "ldap.group-1"

set member "fortiserver.com"

config match

edit 1

set server-name "fortiserver.com"

set group-name "CN=ldap.group,DC=fortiserver,DC=com"

next

end

next

edit "ldap.group-2"

set member "fortiserver.com"

config match

edit 1

set server-name "fortiserver.com"

set group-name "CN=radius.groups,DC=fortiserver,DC=com"

next

end

next

end

As per LDAP authentication, LDAP users 'zilan' and 'shah' are members of different LDAP groups:

di test authserver ldap fortiserver.com zilan Zi569896ytrfin
authenticate 'zilan' against 'fortiserver.com' succeeded!
Group membership(s) - CN=fsso.group,DC=fortiserver,DC=com
CN=ldap.group,DC=fortiserver,DC=com

di test authserver ldap fortiserver.com shah kh52648tyhjopt
authenticate 'shah' against 'fortiserver.com' succeeded!
Group membership(s) - CN=radius.groups,DC=fortiserver,DC=com

Enable debugging via the CLI:

di de dis
di de reset
di de app fnbamd -1
Debug messages will be on for 30 minutes.

di de app httpsd -1
Debug messages will be on for 30 minutes.

di de cons time en
di de en

Once the user tries to login to the GUI using the LDAP username 'zilan', FortiGate checks only the LDAP group enabled under the first wiildcard admin profile 'ldap.admins-1':

Spoke1-Master (global) # 2024-02-27 17:55:45 [httpsd 25543 - 1709052945 info] fweb_debug_init[417] -- New POST request for "/logincheck" from "172.26.61.48:59021"
2024-02-27 17:55:45 [httpsd 25543 - 1709052945 info] fweb_debug_init[419] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"
2024-02-27 17:55:45 [httpsd 25543 - 1709052945 info] fweb_debug_init[421] -- Handler "logincheck-handler" assigned to request
2024-02-27 17:55:45 [httpsd 25543 - 1709052945 info] logincheck_handler[421] -- entering vdom for login_attempt (vdom='root')
2024-02-27 17:55:45 [1916] handle_req-Rcvd auth req 1866462246 for zilan in ldap.group-1 opt=00014001 prot=11 <<<----------
2024-02-27 17:55:45 [475] __compose_group_list_from_req-Group 'ldap.group-1', type 1
2024-02-27 17:55:45 [616] fnbamd_pop3_start-zilan <<<----------
2024-02-27 17:55:45 [378] radius_start-Didn't find radius servers (0)
2024-02-27 17:55:45 [754] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-02-27 17:55:45 [1717] fnbamd_ldap_init-search filter is: sAMAccountName=zilan
2024-02-27 17:55:45 [1727] fnbamd_ldap_init-search base is: dc=fortiserver,dc=com
2024-02-27 17:55:45 [1149] __fnbamd_ldap_dns_cb-Resolved fortiserver.com:10.125.3.175 to 10.125.3.175, cur stack size:1
2024-02-27 17:55:45 [924] __fnbamd_ldap_get_next_addr-
2024-02-27 17:55:45 [1154] __fnbamd_ldap_dns_cb-Connection starts fortiserver.com:10.125.3.175, addr 10.125.3.175
2024-02-27 17:55:45 [879] __fnbamd_ldap_start_conn-Still connecting 10.125.3.175.

Then, when the user tries to login to the GUI using the LDAP username 'shah', FortiGate will check only the LDAP group enabled under the first wildcard admin profile 'ldap.admins-1' and will ignore the other wildcard admin profile 'ldap.admins-2':

Spoke1-Master (root) # 2024-02-27 18:00:26 [httpsd 25586 - 1709053226 info] fweb_debug_init[417] -- New POST request for "/logincheck" from "172.26.61.48:59285"
2024-02-27 18:00:26 [httpsd 25586 - 1709053226 info] fweb_debug_init[419] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"
2024-02-27 18:00:26 [httpsd 25586 - 1709053226 info] fweb_debug_init[421] -- Handler "logincheck-handler" assigned to request
2024-02-27 18:00:26 [httpsd 25586 - 1709053226 info] logincheck_handler[421] -- entering vdom for login_attempt (vdom='root')
2024-02-27 18:00:26 [1916] handle_req-Rcvd auth req 1866462250 for shah in ldap.group-1 opt=00014001 prot=11 <<<----------
2024-02-27 18:00:26 [475] __compose_group_list_from_req-Group 'ldap.group-1', type 1
2024-02-27 18:00:26 [616] fnbamd_pop3_start-shah <<<----------
2024-02-27 18:00:26 [378] radius_start-Didn't find radius servers (0)
2024-02-27 18:00:26 [754] auth_tac_plus_start-Didn't find tac_plus servers (0)
2024-02-27 18:00:26 [1717] fnbamd_ldap_init-search filter is: sAMAccountName=shah
2024-02-27 18:00:26 [1727] fnbamd_ldap_init-search base is: dc=fortiserver,dc=com
2024-02-27 18:00:26 [1149] __fnbamd_ldap_dns_cb-Resolved fortiserver.com:10.125.3.175 to 10.125.3.175, cur stack size:1
2024-02-27 18:00:26 [924] __fnbamd_ldap_get_next_addr-
2024-02-27 18:00:26 [1154] __fnbamd_ldap_dns_cb-Connection starts fortiserver.com:10.125.3.175, addr 10.125.3.175
2024-02-27 18:00:26 [879] __fnbamd_ldap_start_conn-Still connecting 10.125.3.175.