Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP users ends up in groups they are not member of in AD server
Hi,
We have discovered that several users seem to end up in several LDAP groups when they connect via vpn client (forticlient). Every user is a member of a specific group on our Active Directory and even though they are not member of a certain group, when they connect via vpn client I can see that they end up in these User Group.
For example:
Lets say we have these groups under the User & Authentication -> User Groups:
- Group 1 (remote group 1)
- Group 2 (remote group 2)
- Group 3 (remote group 3)
Remote group 1, 2 and 3 are groups that are created on the AD server and synced with the User Groups on fortigate.
User A is a member on remote group 1 on the AD, but when he log in via vpnclient, even though it is not a member of the remote group 2 on the AD, he ends up even in this group on the fortigate.
We are running FortiOS v6.4.8.
Does anyone has any idea why is the fortigate behaving like this?
Best Regards
We have discovered that several users seem to end up in several LDAP groups when they connect via vpn client (forticlient). Every user is a member of a specific group on our Active Directory and even though they are not member of a certain group, when they connect via vpn client I can see that they end up in these User Group.
For example:
Lets say we have these groups under the User & Authentication -> User Groups:
- Group 1 (remote group 1)
- Group 2 (remote group 2)
- Group 3 (remote group 3)
Remote group 1, 2 and 3 are groups that are created on the AD server and synced with the User Groups on fortigate.
User A is a member on remote group 1 on the AD, but when he log in via vpnclient, even though it is not a member of the remote group 2 on the AD, he ends up even in this group on the fortigate.
We are running FortiOS v6.4.8.
Does anyone has any idea why is the fortigate behaving like this?
Best Regards
Labels:
- Labels:
-
General
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning,
Have you run any debugcommands to start? Try
diag debug enable
diag debug app fnbamd 255 (to stop t he debug, type this command but with 0 (zero) instead of 255)
Then test the user auth binding
diag test authserver ldap <server> <username> <password>
What you may want to start looking at is all of the server info, binding, and "Get DN" information. Look for any errant entries as far as groups
Also, in AD make sure you don't have any nested security groups. OK, off to travel but good luck. I am sure someone else can take it from here if you still have issues. Keep up the awesome work, Fisnik!
Have you run any debugcommands to start? Try
diag debug enable
diag debug app fnbamd 255 (to stop t he debug, type this command but with 0 (zero) instead of 255)
Then test the user auth binding
diag test authserver ldap <server> <username> <password>
What you may want to start looking at is all of the server info, binding, and "Get DN" information. Look for any errant entries as far as groups
Also, in AD make sure you don't have any nested security groups. OK, off to travel but good luck. I am sure someone else can take it from here if you still have issues. Keep up the awesome work, Fisnik!
David, NSE 5
Green Cloud Defense
XPERTS-EAST Gold Winner 2021
Green Cloud Defense
XPERTS-EAST Gold Winner 2021
David, NSE 5Green Cloud DefenseXPERTS-EAST Gold Winner 2021
