Describes
This article explains how to allow the administration access to the FortiAnalyzer for one LDAP users group without configuring each user account on the FortiAnalyzer.
Scope
FortiAnalyzer.
Solution
The users defined on the LDAP group should login even they do not have the administrator accounts defined on the FortiAnalyzer.
Configuration
Configure an LDAP server:
Go to System Settings -> Remote Authentication Server -> Create New -> LDAP Server.
Go to System Settings -> Remote Authentication Server -> Create New -> LDAP Server.
Note:
The 'Group' field defines the user group for the FortiAnalyzer administrators that were created on the LDAP server.
Create a user account with the wildcard setting enabled:
Go to System Settings -> Administrators -> Create New -> Administrator.
Go to System Settings -> Administrators -> Create New -> Administrator.
Note:
The option 'Match all users on remote server' (it was called 'Wildcard' before) allows the users on the selected LDAP group to log in to the FortiAnalyzer without configuring any other administrator account for that user.
Configure the LDAP users group on the description field 'Admin' word:
Verification:
After the configuration, access can be tested for the administrator users.
Enable debug.
Enable debug.
diagnose debug application fnbam 255
diagnose debug timestamp enable
diagnose debug enable
diagnose debug timestamp enable
diagnose debug enable
Since v6.4.5.
diagnose debug application auth 8
diagnose debug timestamp enable
diagnose debug en
diagnose debug timestamp enable
diagnose debug en
For fortinet1 administrator account:
FAZ1000D # fam_authenticate_user: User 'fortinet1' not found - using wildcard templatefnbamd_fsm.c[1070] handle_req-Rcvd auth req 1097334784 for fortinet1 in LDAP_OMAR opt=27 prot=9
fnbamd_ldap.c[719] resolve_ldap_FQDN-Resolved address 192.168.157.99, result 192.168.157.99
fnbamd_ldap.c[235] start_search_dn-base:'DC=tacfortimex,DC=loc' filter:sAMAccountName=fortinet1
fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[374]start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet4,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet1,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1097334784
fam_authenticate_user: remote authentication succeeded
FAZ1000D # fam_authenticate_user: User 'fortinet1' not found - using wildcard templatefnbamd_fsm.c[1070] handle_req-Rcvd auth req 1097334784 for fortinet1 in LDAP_OMAR opt=27 prot=9
fnbamd_ldap.c[719] resolve_ldap_FQDN-Resolved address 192.168.157.99, result 192.168.157.99
fnbamd_ldap.c[235] start_search_dn-base:'DC=tacfortimex,DC=loc' filter:sAMAccountName=fortinet1
fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[374]start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet4,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet1,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1097334784
fam_authenticate_user: remote authentication succeeded
For fortinet2 administrator account:
fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[374] start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1115422720
fam_authenticate_user: remote authentication succeeded
fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[374] start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1115422720
fam_authenticate_user: remote authentication succeeded
