Technical Tip: How to assign administrator profiles to Remote Wildcard Administrators using LDAP

CarlosColombini · ‎05-29-2022

Description

This article describes how to configure multiple remote administrators to be assigned different administrator profiles based on LDAP group membership.

Scope

FortiGate Administration and LDAP.

Solution

It is possible to assign different administrator profiles based on VSA attributes from Radius server as per article below.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Providing-different-admin-access-profiles/...

In case there are no Radius servers available, it can be leverage wildcard administrators based on LDAP group membership.

Configuration Steps:

Note.

An existing LDAP server entry in FortiGate can be used or a separate one may be created in case there are specific settings for 'group-member-check' and/or 'group-filter'.

LDAP Server Configuration:
Configure LDAP or LDAPS server as per KB Articles below.

LDAP:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-LDAP-server/ta-p/196...

LDAPS:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-LDAP-over-SSL-LDAPS/ta-p/18997...

For this example, the LDAP server is configured as below.

CLI configuration:

# config user ldap

edit "DC1-LDAPS-ADMINS"

set server "dc1.colombas.lab"

set cnid "sAMAccountName"

set dn "dc=colombas,dc=lab"

set type regular

set username "cn=administrator,cn=users,dc=colombas,dc=lab"

set password ENC xxxxxxxx

set group-member-check user-attr

set group-search-base ''

set group-filter ''

set secure ldaps

set ca-cert "LDAPS-CA"

set port 636

set password-expiry-warning enable

set password-renewal enable

next

end

Firewall Groups configuration:

Create the firewall groups.

Each firewall group is mapped to one or more groups in Active Directory as per example below:

CLI configuration:

# config user group

edit "Admins-Escalations"

set member "DC1-LDAPS-ADMINS"

config match

edit 1

set server-name "DC1-LDAPS-ADMINS"

set group-name "CN=Escalations,CN=Users,DC=Colombas,DC=lab"

next

end

next

end

Admin Profile Configuration:

Create Admin Profiles that will be assigned to different Administrators:

Define permissions as needed for each profile as per example below:

CLI Configuration:

# config system accprofile

edit "Level3"

set secfabgrp read-write

set ftviewgrp read-write

set authgrp read-write

set sysgrp read-write

set netgrp read-write

set loggrp read-write

set fwgrp read-write

set vpngrp read-write

set utmgrp read-write

set wanoptgrp read-write

set wifi read-write

next

end

Administrators Configuration:

Create wildcard administrators and assign the remote user group defined previously.

In the example below, Administrator 'L3-Admins-LDAP' is mapped to group 'Admins-Escalations'.

CLI Configuration:

# config system admin

edit "L3-Admins-LDAP"

set remote-auth enable

set accprofile "Level3"

set vdom "root"

set wildcard enable

set remote-group "Admins-Escalations"

next

end

Verification

With the above configuration in place, based on AD group membership, administrators will be able to login and be assigned specific Admin Profile.

Active Administrator Sessions can be viewed from the 'Administrators' Widget in the default 'Status' Dashboard.

Active sessions can also be seen from CLI, but the profiles associated to them are not displayed.

FGT1-A # get system info admin status

However, leveraging a command that is used to disconnect an administrator session, the profiles can be displayed:

FGT1-A # execute disconnect-admin-session ?

Additionally, disconnecting a session indicating the session Index.

Troubleshooting

Failed or successful attempts can be checked from 'System Events' under 'Log & Report'.

Debugging information can be checked from CLI with commands below:

# diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug enable

Sample output from a successful login as per below:

# 2022-05-29 10:29:26 [1906] handle_req-Rcvd auth req 353110676 for carlos in Admins-L1 opt=00014001 prot=11
2022-05-29 10:29:26 [466] __compose_group_list_from_req-Group 'Admins-L1', type 1
2022-05-29 10:29:26 [616] fnbamd_pop3_start-carlos
2022-05-29 10:29:26 [378] radius_start-Didn't find radius servers (0)
2022-05-29 10:29:26 [1068] __tac_plus_try_next_server-Try DC1-TACACS+:172.16.1.10
2022-05-29 10:29:26 [358] __tac_plus_dns_cb-Resolved DC1-TACACS+:172.16.1.10 to 172.16.1.10, cur stack size:1
2022-05-29 10:29:26 [278] sock_connect-connecting DC1-TACACS+:172.16.1.10: 172.16.1.10
2022-05-29 10:29:26 [1717] fnbamd_ldap_init-search filter is: sAMAccountName=carlos
2022-05-29 10:29:26 [1727] fnbamd_ldap_init-search base is: dc=colombas,dc=lab
2022-05-29 10:29:26 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x5 'dc1.colombas.lab'
2022-05-29 10:29:26 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x2005 'dc1.colombas.lab'
2022-05-29 10:29:26 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2022-05-29 10:29:26 [633] create_auth_session-Total 2 server(s) to try
2022-05-29 10:29:26 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x5
2022-05-29 10:29:26 [305] fnbamd_dns_parse_resp-req 0x5: 172.16.1.10
2022-05-29 10:29:26 [1149] __fnbamd_ldap_dns_cb-Resolved DC1-LDAPS-ADMINS:dc1.colombas.lab to 172.16.1.10, cur stack size:1
2022-05-29 10:29:26 [924] __fnbamd_ldap_get_next_addr-
2022-05-29 10:29:26 [1154] __fnbamd_ldap_dns_cb-Connection starts DC1-LDAPS-ADMINS:dc1.colombas.lab, addr 172.16.1.10 over SSL
2022-05-29 10:29:26 [879] __fnbamd_ldap_start_conn-Still connecting 172.16.1.10.
2022-05-29 10:29:26 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x2005
2022-05-29 10:29:26 [265] fnbamd_dns_parse_resp-req 0x5: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2022-05-29 10:29:26 [35] __fnbamd_dns_req_del-DNS req 0x5 (0x1008ec00) is removed. Current total: 2
2022-05-29 10:29:26 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2022-05-29 10:29:26 [1149] __fnbamd_ldap_dns_cb-Resolved DC1-LDAPS-ADMINS:dc1.colombas.lab to ::, cur stack size:0
2022-05-29 10:29:26 [1107] __ldap_connect-tcps_connect(172.16.1.10) is established.
2022-05-29 10:29:26 [985] __ldap_rxtx-state 3(Admin Binding)
2022-05-29 10:29:26 [363] __ldap_build_bind_req-Binding to 'cn=administrator,cn=users,dc=colombas,dc=lab'
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 75 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 1
2022-05-29 10:29:26 [985] __ldap_rxtx-state 4(Admin Bind resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'DN search'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 11(DN search)
2022-05-29 10:29:26 [750] fnbamd_ldap_build_dn_search_req-base:'dc=colombas,dc=lab' filter:sAMAccountName=carlos
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 75 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 2
2022-05-29 10:29:26 [985] __ldap_rxtx-state 12(DN search resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 62
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 64, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1225] __fnbamd_ldap_dn_entry-Get DN 'CN=Carlos Colombini,CN=Users,DC=colombas,DC=lab'
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 81
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 83, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 81
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 83, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 65
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 67, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'User Binding'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 5(User Binding)
2022-05-29 10:29:26 [596] fnbamd_ldap_build_userbind_req-Trying DN 'CN=Carlos Colombini,CN=Users,DC=colombas,DC=lab'
2022-05-29 10:29:26 [363] __ldap_build_bind_req-Binding to 'CN=Carlos Colombini,CN=Users,DC=colombas,DC=lab'
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 109 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 3
2022-05-29 10:29:26 [985] __ldap_rxtx-state 6(User Bind resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'Attr query'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 7(Attr query)
2022-05-29 10:29:26 [649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'
2022-05-29 10:29:26 [661] fnbamd_ldap_build_attr_search_req-base:'CN=Carlos Colombini,CN=Users,DC=colombas,DC=lab' filter:cn=*
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 123 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 4
2022-05-29 10:29:26 [985] __ldap_rxtx-state 8(Attr query resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 214
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 216, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [556] __get_member_of_groups-Get the memberOf groups.
2022-05-29 10:29:26 [522] __retrieve_group_values-Get the memberOf groups.
2022-05-29 10:29:26 [532] __retrieve_group_values- attr='memberOf', found 1 values
2022-05-29 10:29:26 [542] __retrieve_group_values-val[0]='CN=Escalations,CN=Users,DC=colombas,DC=lab'
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1305] __fnbamd_ldap_attr_next-Entering CHKPRIMARYGRP state
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'Primary group query'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 13(Primary group query)
2022-05-29 10:29:26 [685] fnbamd_ldap_build_primary_grp_search_req-starting primary group check...
2022-05-29 10:29:26 [689] fnbamd_ldap_build_primary_grp_search_req-number of sub auths 5
2022-05-29 10:29:26 [707] fnbamd_ldap_build_primary_grp_search_req-base:'dc=colombas,dc=lab' filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\40\54\06\98\ae\31\62\4e\0f\94\22\32\01\02\00\00))
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 122 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 5
2022-05-29 10:29:26 [985] __ldap_rxtx-state 14(Primary group query resp)
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 111
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 113, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-entry
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [472] __get_one_group-group: CN=Domain Users,CN=Users,DC=colombas,DC=lab
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 81
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 83, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 81
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 83, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 65
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 67, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-reference
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 8
2022-05-29 10:29:26 [1233] fnbamd_ldap_recv-Leftover 2
2022-05-29 10:29:26 [1127] __fnbamd_ldap_read-Read 14
2022-05-29 10:29:26 [1306] fnbamd_ldap_recv-Response len: 16, svr: 172.16.1.10
2022-05-29 10:29:26 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-result
2022-05-29 10:29:26 [1023] fnbamd_ldap_parse_response-ret=0
2022-05-29 10:29:26 [1433] __fnbamd_ldap_primary_grp_next-Auth accepted
2022-05-29 10:29:26 [1052] __ldap_rxtx-Change state to 'Done'
2022-05-29 10:29:26 [985] __ldap_rxtx-state 23(Done)
2022-05-29 10:29:26 [1083] fnbamd_ldap_send-sending 7 bytes to 172.16.1.10
2022-05-29 10:29:26 [1096] fnbamd_ldap_send-Request is sent. ID 6
2022-05-29 10:29:26 [785] __ldap_done-svr 'DC1-LDAPS-ADMINS'
2022-05-29 10:29:26 [755] __ldap_destroy-
2022-05-29 10:29:26 [724] __ldap_stop-Conn with 172.16.1.10 destroyed.
2022-05-29 10:29:26 [2678] fnbamd_ldap_result-Result for ldap svr dc1.colombas.lab(DC1-LDAPS-ADMINS) is SUCCESS
2022-05-29 10:29:26 [401] ldap_copy_grp_list-copied CN=Escalations,CN=Users,DC=colombas,DC=lab
2022-05-29 10:29:26 [401] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=colombas,DC=lab
2022-05-29 10:29:26 [1653] fnbam_user_auth_group_match-req id: 353110676, server: DC1-LDAPS-ADMINS, local auth: 0, dn match: 1
2022-05-29 10:29:26 [2690] fnbamd_ldap_result-Passed group matching
2022-05-29 10:29:26 [216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 353110676, len=2236
2022-05-29 10:29:26 [789] destroy_auth_session-delete session 353110676
2022-05-29 10:29:26 [1077] tac_plus_destroy-DC1-TACACS+
2022-05-29 10:29:26 [755] __ldap_destroy-
2022-05-29 10:29:26 [1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC1-LDAPS-ADMINS' ctx

Related Articles
Technical Tip: How to configure LDAP server

Technical Tip: Configuring LDAP over SSL (LDAPS)

Technical Tip: FortiGate LDAP Common Problems