Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wiksi
New Contributor

Fortigate LDAP config with OpenLDAP server

Hi!

 

I am in a situation that I need to setup LDAPS connection towards OpenLDAP server that uses posix accounts and groups. Meaning it does not have memberOf attribute to check for user group memberships. This group checking would need to happen using gidNumber (group ID) from user data or from group data using memberUid attribute. Here is what I have been trying to get to work so far.

 

I have been trying to Google this for a couple of hours now how to do this.

 

A sample OpenLDAP structure:

DC=acme,DC=local

- OU=department

- - OU=Users

- - - UID=timothy.tester

- - - UID=david.demo

- - - UID=donald.duck

- - - UID=mickey.mouse

- - OU=Groups

- - - CN=SMS

- - - CN=VPN

- - - CN=Others

- - uid=admin

 

SMS group has attributes as:

objectClass=posixGroup

gidNumber=12345 (the group ID)

cn=SMS

memberUid=timothy.tester

 

User Timothy Tester has attributes as:

objectClass posixAccount

displayName=Timothy Tester

uidNumber=11111 (user ID)

gidNumber=12345 (the group ID of SMS group)

uid=timothy.tester

userPassword= ...

 

 

VPN group has attributes as:

objectClass=posixGroup

gidNumber=67890 (the group ID)

cn=VPN

memberUid=david.demo

 

User David Demo has attributes as:

objectClass posixAccount

displayName=David Demo

uidNumber=22222 (user ID)

gidNumber=67890 (the group ID of VPNgroup)

uid=david.demo

userPassword= ...

 

 

What I am trying to do I am trying to setup SSLVPN login with these two LDAP groups SMS and VPN. How ever I am unable to fetch the group data correctly.

 

OpenLDAP config part:

config user ldap

    edit "OpenLDAP"         set server "192.168.0.65"         set cnid "uid"         set dn "ou=department,dc=acme,dc=local"         set type regular         set username "uid=admin,dc=openldap,dc=lab"         set password ENC YCb6XWMMo...         set group-member-check posix-group-object         set secure ldaps         set port 636     next

 

User groups config part:

config user group

  edit "SMS group users"         set member "OpenLDAP"         config match             edit 1                 set server-name "OpenLDAP"                 set group-name "cn=SMS,ou=groups,ou=department,dc=acme,dc=local"             next         end

 

  edit "VPN group users"         set member "OpenLDAP"         config match             edit 1                 set server-name "OpenLDAP"                 set group-name "cn=VPN,ou=groups,ou=department,dc=acme,dc=local"             next         end

 

 

I have been playing with the OpenLDAP config and I have tried with "set group-member-check posix-group-object" and without it as well as with "set member-attr memberUid". I have been trying and trying without any success.

 

Any ideas how to solve the problem and make Fortigate to be able to read the group data correctly? Thank you in advance!

 

Running on version 6.0.5.

1 REPLY 1
Juhhi
New Contributor

Hi.

 

Reply comes delay, but hope this help people further.

 

Fnbamd helped me to figure out why the authentication failed:

 

diagnose debug enable
diagnose debug application fnbamd 255

 

Solution for openldap is use:

conf user ldap
edit <entity>

group-filter : (&(objectclass=posixgroup)(memberuid:=%u))

 

I found later old post with same configuration parameters for openldap:

https://community.fortinet.com/t5/FortiGate/Technical-Note-FortiGate-LDAP-configuration-examples/ta-...

 

You should also modify memberuid value in posix group in ldap. Don't use the username alone. Modification:

 

uid=<username>,ou=users,dc=<domain>,dc=<domain>

JV