FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
iyotov
Staff
Staff
Article Id 220206
Description

 

This article provides the configuration required for recursive LDAP search in Microsoft Active Directory.
The purpose is to authorize the members of all subgroups by defining only the top level group in the FortiManager/FortiAnalyzer configuration.

 

Scope

 

FortiManager after 6.2.2.

FortiAnalyzer after 6.2.2.

 

Solution

 

Replace the default filter string in the FortiManager/FortiAnalyzer LDAP Server object, in order to allow searching in nested groups:

 

# config system admin ldap

  edit "<your_server_name_here>"

    ...

    set filter (|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))

    ...

  next

end

 

Note.

This is an Active Directory specific filter.

Other LDAP servers may support recursive search by default, or may require different filter syntax.

 

Detailed article on how to authorize Active Directory groups as remote administrators can be found here:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-LDAP-Configuring-Active-Directory-grou... 

Contributors