| Solution |
It is supposed that when both LDAP and TACACS+ (Remote + Wildcard) are configured on FortiGate.
The remote authentication server to be used changes depending on which server first responds to the authentication request.
The server that responds faster is used to authenticate users.
Therefore, deciding which server to use relies on the user's network environment.
The following case's debug logs indicate that the LDAP server's response is faster than that of the TACACS+ server.
2025-04-25 18:50:33 [1916] handle_req-Rcvd auth req 1245252982 for 9000088 in ad_nws_group opt=00014001 prot=11
2025-04-25 18:50:33 [475] __compose_group_list_from_req-Group 'ad_nws_group', type 1
2025-04-25 18:50:33 [616] fnbamd_pop3_start-9000088
2025-04-25 18:50:33 [380] radius_start-Didn't find radius servers (0)
2025-04-25 18:50:33 [1074] __tac_plus_try_next_server-Try tbtacacs-group:192.168.11.141
2025-04-25 18:50:33 [360] __tac_plus_dns_cb-Resolved tbtacacs-group:192.168.11.141 to 192.168.11.141, cur stack size:1
2025-04-25 18:50:33 [279] sock_connect-connecting tbtacacs-group:192.168.11.141: 192.168.11.141
2025-04-25 18:50:33 [1735] fnbamd_ldap_init-search filter is: sAMAccountName=9000088
2025-04-25 18:50:33 [1745] fnbamd_ldap_init-search base is: dc=Fortinet,dc=work
2025-04-25 18:50:33 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x1f 'ldap.Fortinet.bz'
2025-04-25 18:50:33 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x201f 'ldap.Fortinet.bz'
2025-04-25 18:50:33 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2025-04-25 18:50:33 [642] create_auth_session-Total 2 server(s) to try
2025-04-25 18:50:33 [392] is_sock_connected-tcp connected
2025-04-25 18:50:33 [499] build_authen_start-building authen start packet: authen_type=2(pap)
2025-04-25 18:50:33 [765] tac_plus_result-Authen sending request
2025-04-25 18:50:33 [407] pak_send-Encrypting pkt
2025-04-25 18:50:33 [1210] fsm_tac_plus_update_result-Continue pending for req 1245252982
... omitted
2025-04-25 18:50:33 [2688] fnbamd_ldap_result-Result for ldap svr ldap.Fortinet.bz(ldap.dc1.gslb) is SUCCESS
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=Infra NE For maintenance(Fortinet),OU=maintenance,OU=PVDI_NAS,OU=Groups,OU=Fortinet,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=Fortimaintenance,OU=Partner,OU=Groups,OU=Fortinet,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=Bank_One_Groups,OU=Bank_One,OU=Groups,OU=Fortinet,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=nw_bp_fortinet,OU=IDC,OU=Groups,OU=Fortinet,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=nw_mgmt,OU=IDC,OU=Groups,OU=Fortinet,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=InfraPartner,OU=Fortinet_Partner,OU=Groups,OU=Fortinet,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=Other Partner,OU=SAC,OU=Groups,OU=Fortinet,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=Users,CN=Builtin,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=nw_Fortinet,OU=IDC,OU=Groups,OU=Fortinet,DC=Fortinet,DC=work
2025-04-25 18:50:33 [405] ldap_copy_grp_list-copied CN=PartnerShare_RO,OU=PVDI_NAS,OU=Groups,OU=Fortinet,DC=Fortinet,DC=work
2025-04-25 18:50:33 [1709] fnbam_user_auth_group_match-req id: 1245252982, server: ldap.dc1.gslb, local auth: 0, dn match: 1
2025-04-25 18:50:33 [2700] fnbamd_ldap_result-Passed group matching
2025-04-25 18:50:33 [216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1245252982, len=2898
2025-04-25 18:50:33 [798] destroy_auth_session-delete session 1245252982
2025-04-25 18:50:33 [1083] tac_plus_destroy-tbtacacs-group
See this article: Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd for more information.
|
