| Description | This article describes how to set up multiple wildcard LDAP administrator groups with different access rights on FortiManager/FortiAnalyzer. |
| Scope | FortiManager, FortiAnalyzer. |
| Solution |
There are 2 options to set up a wildcard administrator based on a remote authentication server group.
Warning: Plan in advance what AD groups should have what privileges as well as if some administrators are members of multiple groups because the order of creation of remote authentication server objects/administrator profiles matters.
The first approach consists of pulling all user groups from the AD+ matching them against wildcard administrator profiles filtered by a particular group:
1) Create a remote AD server:
# config system admin ldap edit "LDAP" set server "192.168.0.10" set cnid "sAMAccountName" set dn "dc=domain,dc=com" set type regular set username "administrator@domain.com" set password <password> set memberof-attr "memberOf" <---- Specify the AD attribute where the group membership is located end
- in GUI the group membership setting is under 'Advanced Options':
2) Create a wildcard administrator and add 'ext-auth-group-match' restriction per each admin profile:
# config system admin user edit "new" <----- Admin group name. set profileid "Standard_User" <----- Select the desired admin profile. set adom-access all set user_type ldap set ldap-server "LDAP" set wildcard enable <-- enable wildcard admin set ext-auth-group-match "CN=group1,OU=Groups,DC=domain,DC=com" <----- specify the group match from the user 'memberof-attr'. end
- in GUI the admin group setting is under 'Advanced Options':
The second approach consists of defining the group allocation per AD server and matching the wildcard administrator with the LDAP server where the restriction is created.
1) Create AD server objects specifying the AD group parameter:
# config system admin ldap edit "LDAP" set server "192.168.0.10" set cnid "sAMAccountName" set dn "dc=domain,dc=com" set type regular set username "administrator@domain.com" set password <password> set group "CN=group1,OU=Groups,DC=domain,DC=com" <----- Define group filter. next edit "LDAP2" set server "192.168.0.10" <----- Can be the same or different AD server. set cnid "sAMAccountName" set dn "dc=domain,dc=com" set type regular set username "administrator@domain.com" set password <password> set group "CN=group2,OU=Groups,DC=domain,DC=com" <----- Different group. next end
- in GUI the group setting is under 'Advanced Options':
2) Create wildcard administrator groups and match each with the correct AD:
# config system admin user edit "LDAP" <----- Admin group name. set profileid "Standard_User" <----- Select desired profile type. set adom-access all set user_type ldap set ldap-server "LDAP" <----- Select AD server with the group that is matching profile type expectations. set wildcard enable <----- Enable wildcard admin. end
- in GUI admin creation:
Notes: - It is possible to use the 'print tablesize' CLI command to see how many objects can be created within the FortManager/FortAnalyzer or to check the Maximum Values reference manual. - If an 'ext-auth-group-match' parameter is not specified under the wildcard administrator profile OR group filter under the LDAP server configuration, any AD user that can be found under 'dn' might be able to log in as a FortiManager administrator - For more information about creating wildcard administrators, it is possible to check the following: - For troubleshooting authentication issues, it is possible to use the following commands:
# diagnose debug reset # diagnose debug timestamp enable # diagnose debug application fnbam 255 <----- FortiManager/FortiAnalyzer 6.4.2 and below. # diagnose debug application auth 255 <----- FortiManager/FortiAnalyzer 6.4.3+. # diagnose debug enable |
