FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to ensure successful LDAP authentication towards Redhat FreeIPA server.
- The FreeIPA server has a different LDAP tree schema. It is composed of two sub-tree: cn=accounts,dc=<suffix>,dc=<suffix> and cn=compat,dc=<suffix>,dc=<suffix>
- When the FortiGate performs an LDAP query using the memberOf attribute, it is expected to receive only one unique results. However, the FortiGate will receive two identical users from both sub-tree which will generate an authentication error.
Solution User should configure one of the specific sub-tree under the LDAP configuration.
The following configuration will make the FortiGate ensure successful LDAP authentication towards the FreeIPA server:
#config user ldap edit <ldap> set cnid uid set dn "cn=accounts,dc=<suffix>,dc=<suffix> OR cn=compat,dc=<suffix>,dc=<suffix> end