Purpose
Scope
Diagram
Expectations, Requirements
Configuration
Verification
This article explains how to allow the administration access to the FortiAnalyzer for one LDAP users group without configuring each user account on the FortiAnalyzer.
Scope
This article describes how to configure the administrator accounts for the FortiAnalyzer using the LDAP users with the wildcard setting.
Diagram
Expectations, Requirements
The users defined on the LDAP group should login even they do not have the administrator accounts defined on the FortiAnalyzer.
It is necessary to have configured the LDAP server with the users group for the Administrators.
It is necessary to have configured the LDAP server with the users group for the Administrators.
Configuration
In order to allow a user LDAP group to login to the FortiAnalyzer it is necessary to configure:
Then create a user account with the wildcard setting enabled.
It is then necessary to configure on the LDAP users group on the description field "Admin" word:
# config system admin ldap
edit "LDAP_OMAR"
set server "192.168.157.99" >>>> The LDAP server IP
set cnid "sAMAccountName"
set dn "DC=tacfortimex,DC=loc"
set type regular
set username "tacfortimex\\Administrador"
set password ENC hdgywsr$52h$nfd
set group "CN=fazusers,DC=tacfortimex,DC=loc" >>>> Select the user group for the FortiAnalyzer administrators that were created on the LDAP server
set filter "(|(objectclass=person)(objectclass=user)(description=Admin))"
set adom "all_adoms"
next
end
Then create a user account with the wildcard setting enabled.
config system admin user
edit "fazusers"
set profileid "Super_User" >>>> Select the profile administrator as required
set adom "all_adoms"
set policy-package "all_policy_packages"
set user_type ldap
set ldap-server "LDAP_OMAR"
set wildcard enable >>>> Wildcard allows the users on the selected LDAP group to login to the FortiAnalyzer without configuring any other administrator account for that user
It is then necessary to configure on the LDAP users group on the description field "Admin" word:
Verification
After the configuration, access can be tested for the administrator users.
Enable debug.
FAZ1000D # fam_authenticate_user: User 'fortinet1' not found - using wildcard templatefnbamd_fsm.c[1070] handle_req-Rcvd auth req 1097334784 for fortinet1 in LDAP_OMAR opt=27 prot=9
fnbamd_ldap.c[719] resolve_ldap_FQDN-Resolved address 192.168.157.99, result 192.168.157.99
fnbamd_ldap.c[235] start_search_dn-base:'DC=tacfortimex,DC=loc' filter:sAMAccountName=fortinet1
fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[374]start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet4,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet1,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1097334784
fam_authenticate_user: remote authentication succeeded
For fortinet2 administrator account:
fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[374] start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1115422720
fam_authenticate_user: remote authentication succeeded
Enable debug.
# diagnose debug application fnbam 255Since version 6.4.5.
# diagnose debug timestamp enable
# diagnose debug enable
# diagnose debug application auth 8For fortinet1 administrator account:
# diagnose debug timestamp enable
# diagnose debug en
FAZ1000D # fam_authenticate_user: User 'fortinet1' not found - using wildcard templatefnbamd_fsm.c[1070] handle_req-Rcvd auth req 1097334784 for fortinet1 in LDAP_OMAR opt=27 prot=9
fnbamd_ldap.c[719] resolve_ldap_FQDN-Resolved address 192.168.157.99, result 192.168.157.99
fnbamd_ldap.c[235] start_search_dn-base:'DC=tacfortimex,DC=loc' filter:sAMAccountName=fortinet1
fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[374]start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet4,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet1,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1097334784
fam_authenticate_user: remote authentication succeeded
For fortinet2 administrator account:
fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[374] start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1115422720
fam_authenticate_user: remote authentication succeeded
