Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
OmerAvrech
New Contributor

FortiAnalyzer 5.6.2 - LDAP groups problem

Hi,

I tried to configure two LDAP groups to authenticate to the FortiAnalyzer.

I succeed to configure the first group (admins) include the wildcard flag.

I want to add the second group with view-only privileges but I can't set the wildcard flag again.

 

when I try to add the wildcard to the second group I get the following error:

A wildcard administrator already exists object set operator error, -15 discard the setting

 

Also, I came across with the following article http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37328&sliceId=1...

 but it does not help to my issue.

 

Configuration Below:

config system admin ldap edit "Ldap_Admins" set server "x.x.x.x" set cnid "sAMAccountname" set dn "DC=ceragon,DC=com" set type regular set username "networkldap@ceragon.com" set password ENC  set group "CN=IT-MANAGEMENT,...,DC=ceragon,DC=com" set filter "(&(objectcategory=group)(member=*))" set adom "all_adoms" next edit "Ldap_Viewer" set server "x.x.x.x" set cnid "sAMAccountname" set dn "DC=ceragon,DC=com" set type regular set username "networkldap@ceragon.com" set password ENC  set group "CN=IT-VIEWER,...,DC=ceragon,DC=com" set filter "(&(objectcategory=group)(member=*))" set adom "all_adoms" next end

!

config system admin user

edit "LDAP_Admin_Users"

set profileid "Super_User" set adom "all_adoms" set policy-package "all_policy_packages" set user_type ldap set ldap-server "Ldap_Admins"

set wildcard enable

next

edit "LDAP_Viewer_Users"

set profileid "Read_Only" set adom "all_adoms" set policy-package "all_policy_packages" set user_type ldap set ldap-server "LDAP_Viewers"

next

end

!

 

Thank you in advance.

3 REPLIES 3
mantaransingh_FTNT

Hi

In FortiAnalyzer 5.6, we can only have one wildcard Admin. So if you are trying to create multiple wildcard Admins, it won't be possible.

For your requirement, RADIUS can be used. you can create one RADIUS wildcard admin in FortiAnalyzer and on the server side(NPS in case of WinServer), you can use RADIUS VSA's to assign different groups different privileges(ADOM and profile).

VSA#3 is for  ADOM, VSA#6 is for access profile

 

Thanks

Mantaran Singh

mantaransingh
OmerAvrech

Thanks for your assistance.

We don't have a radius server in my company, therefore, I can't use it.

I guess I gonna wait until Fortinet kindly will add this option too like they have it in the firewalls...

 

Thanks anyway.

mikebutash

I ran into this issue as well setting up an analyzer for a customer, attempting to match the same setup on the fortigate done with ldap, and finding out the hard way with support this isn't supported.  Rather absurd faz/fmg work entirely differently from the fgt's, and not even getting into the other platforms out there.  So much for consistent experience.

 

I made a feature request for this around the same time last year through my account team to fix this as well.  I would encourage you to do so as well if not done already.  I should think not hard, just copy the fortigate team's work, done.