Technical Tip: Remote Sync rules will not sync the user that manually import by user

tonylin1 · ‎03-07-2024

Description

This article describes when a user manually imports the remote user in the LDAP group, it will still exist after that user is removed from AD and Manual Sync on Remote User Synced Rules.

Scope

FortiAuthenticator.

Solution

There are two users in the remote LDAP AD server.
Manually add 'twtac2' in GUI under Remote Users -> Import.

截圖 2024-03-04 上午10.55.39.png

截圖 2024-03-04 上午10.55.52.png

Manually Sync 'twtac1' user from GUI under Remote User Synced Rules:

截圖 2024-03-04 上午10.57.41.png

There are now, two users in Remote Users:

twtac1: Remote User Sync Rules -> Manual Sync.
twtac2: Remote Users -> Import.

After removing 'twtac2' user from window AD and performing Remote User Sync Rules -> Manual Sync, 'twtac2' still exists on Remote Users:

截圖 2024-03-04 上午10.57.41.png

In conclusion, Remote User Sync Rules -> Manual Sync will not sync the user manually imported by Remote Users -> Import.

It is not possible to discern manually imported users from automatically imported users. Only the logs can tell. To find out, search for the user name in the logs and see how that user was imported.

For example:

Manually imported user:

date=2024-05-13 time=07:25:45+0000 oid=841 logid=10203 cat="Event" subcat="Admin Configuration" level="information" nas="" action="" status="" msg="Imported remote user "user01" from remote LDAP server "DC01 (192.168.95.16)"" user="admin"

Using remote user sync rules:

date=2024-05-13 time=07:35:11+0000 oid=1526 logid=10001 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Add" status="" msg="Added Remote LDAP User: user02" user=""