Description
This article describes how to ensure successful LDAP authentication towards Redhat FreeIPA server.
- The FreeIPA server has a different LDAP tree schema. It is composed of two sub-tree: cn=accounts,dc=<suffix>,dc=<suffix> and cn=compat,dc=<suffix>,dc=<suffix>
- When the FortiGate performs an LDAP query using the memberOf attribute, it is expected to receive only one unique results. However, the FortiGate will receive two identical users from both sub-tree which will generate an authentication error.
Solution
User should configure one of the specific sub-tree under the LDAP configuration.
The following configuration will make the FortiGate ensure successful LDAP authentication towards the FreeIPA server:
#config user ldap
edit <ldap>
set cnid uid
set dn "cn=accounts,dc=<suffix>,dc=<suffix> OR cn=compat,dc=<suffix>,dc=<suffix>
end