Created on 03-31-2021 01:08 AM Edited on 01-30-2023 08:07 AM By Stephen_G
Description
This article describes how to solve an issue where the WAD user group is not updated after changing user group in AD. For example, if user A was in user group 1 but moved to user group 2 in AD.
Scope
All currently supported versions of FortiProxy.
Solution
This issue is caused by the LDAP user cache in FortiProxy.
If the user already authenticated, deauthenticate the user first:
To do this in the GUI, select the user and select Deauthenticate.
To do this in the CLI, first find the username:
# diagnose firewall auth list
Next, deauthenticate the user:
# diagnose wad user clear <ID> <IP> <VDOM>
Clear the WAD LDAP cache and refresh:
# diagnose wad ldap user clear
# diagnose wad ldap user refresh
The user group will be updated after FortiProxy receives a new, successful authentication attempt from the user.
An alternative method to prevent this issue is to disable the WAD LDAP cache:
# config web-proxy global
set ldap-user-cache disable
end
Enable = LDAP auth is performed on the basis of WAD user-info.
Disable = LDAP auth is performed with fnbamd.
Note that the 'ldap-user-cache' option only works with a Windows AD. For any other vendors, such as a Novel e-directory LDAP server, the 'ldap-user-cache' option should be disabled.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.