Description

This article describes how to solve an issue where the WAD user group is not updated after changing user group in AD. For example, if user A was in user group 1 but moved to user group 2 in AD.

Scope

FortiProxy.

Solution

This issue is caused by the LDAP user cache in FortiProxy.

If the user is already authenticated, de-authenticate the user first:

To do this in the GUI, select the user and select De-authenticate.

To do this in the CLI, first find the username:

diagnose firewall auth list

Next, de-authenticate the user:

To view the existing user:

diagnose wad user list
ID: 2, IP: 10.11.15.149, VDOM: root
  user name   : proxusr@DOMAINTEST.LOCAL
  duration    : 124
  auth_type   : 0
  auth_method : 3 (Kerberos)
  pol_id      : 12
  g_id        : 11
  user_based  : 0
  expire      : 8
  LAN:
    bytes_in=107500 bytes_out=1169255
  WAN:
    bytes_in=799170 bytes_out=40959

diagnose wad user clear <ID> <IP> <VDOM>

Clear the WAD LDAP cache and refresh:

diagnose wad ldap user clear

diagnose wad ldap user refresh

The user group will be updated after FortiProxy receives a new, successful authentication attempt from the user.

An alternative method to prevent this issue is to disable the WAD LDAP cache:

config web-proxy global

    set ldap-user-cache disable

end

To clear the End user session:

diagnose sys session filter src a.b.c.d <----- a.b.c.d is the end user IP.

diagnose sys session clear

Enable = LDAP auth is performed based on WAD user-info.
Disable = LDAP auth is performed with fnbamd.

Note that the 'ldap-user-cache' option only works with a Windows AD. For any other vendors, such as a Novel e-directory LDAP server, the 'ldap-user-cache' option should be disabled.