This article provides the configuration required for recursive LDAP search in Microsoft Active Directory.
The purpose is to authorize the members of all subgroups by defining only the top level group in the FortiManager/FortiAnalyzer configuration.
FortiManager after 6.2.2.
FortiAnalyzer after 6.2.2.
Replace the default filter string in the FortiManager/FortiAnalyzer LDAP Server object, in order to allow searching in nested groups:
# config system admin ldap
edit "<your_server_name_here>"
...
set filter (|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))
...
next
end
Note:
This is an Active Directory specific filter.
Other LDAP servers may support recursive search by default, or may require different filter syntax.
See this detailed article for steps on how to authorize Active Directory groups as remote administrators. Scenario #2 will not work for the Nested Groups in this article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.