This article provides the configuration required for recursive LDAP search in Microsoft Active Directory.
The purpose is to authorize the members of all subgroups by defining only the top level group in the FortiManager/FortiAnalyzer configuration.
FortiManager after 6.2.2.
FortiAnalyzer after 6.2.2.
Replace the default filter string in the FortiManager/FortiAnalyzer LDAP Server object, in order to allow searching in nested groups:
# config system admin ldap
edit "<your_server_name_here>"
...
set filter (|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))
...
next
end
Note.
This is an Active Directory specific filter.
Other LDAP servers may support recursive search by default, or may require different filter syntax.
Detailed article on how to authorize Active Directory groups as remote administrators can be found here:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.