Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
noother10
New Contributor

5.4.1 - Unable to LDAP filter for memberOf a group

I believe this was an issue with older versions of FortiOS previously. When going to Authentication -> User Management -> User Groups, I hit create and target my remote LDAP (Windows AD), and try to specify the LDAP filter. The filter returns nothing when trying to use the memberOf property to grab members of a specific AD group. When using the information from the Administration Guide to create the filter as per the example, it also fails. I can add the group directly (Windows AD group under User Group), but it won't recognize the users within the group when I try to use FortiToken.

 

If I go to Authentication -> Remote Auth. Servers -> LDAP -> My Win AD Setup -> Remote LDAP Users -> Import users by group memberships, this will work.

 

Is there a way around this, or to make it work? The best I've come up with is to import the users by group memberships, and then in User Groups select the "Set a list of imported remote LDAP users". But this is a manual process with two steps, whereas I was hoping to have it just work off a group, so in future if I want to add someone, I just add them to the Windows AD group.

1 Solution
ergotherego
Contributor II

I personally like to use Remote User Sync rules. I create one for each remote<>local group mapping.

 

Some advantages of doing it that way:

 

1) Auto assignment of mobile token

2) When you look under your local groups, you can actually see the members. This is helpful for troubleshooting. If instead you define a filter under a group, you can't see who FAC has inside that group.

3) You can also have the FAC delete old user accounts when they are no longer present on the domain.

View solution in original post

4 REPLIES 4
ergotherego
Contributor II

I personally like to use Remote User Sync rules. I create one for each remote<>local group mapping.

 

Some advantages of doing it that way:

 

1) Auto assignment of mobile token

2) When you look under your local groups, you can actually see the members. This is helpful for troubleshooting. If instead you define a filter under a group, you can't see who FAC has inside that group.

3) You can also have the FAC delete old user accounts when they are no longer present on the domain.

RobertReynolds

Ive got the memberof LDAP filter working in my 5.4.1 FAC for User Groups using the following for example

 

(memberof=CN=SSL_VPN_Users,CN=Users,DC=mydomain,DC=co,DC=uk)

 

where SSL_VPN_Users is a Security Group in the Users OU on mydomain.co.uk

 

 

 

 

noother10

I did end up making a Remote User Sync Rule, but it seems to be bugged. It has synced my account to  the group I created and I got the auto-provision token, but I get the following message in the logs when I try to login:

Windows AD user authentication(mschap) with FortiToken failed: user not filtered by groups

 

It thinks my account isn't filtered by a group, but I'm in a User Group that was generated by Remote User Sync Rule. The only difference between when I had it working was that the group was set to LDAP filter and had specifically my account filtered only. The group generated by Remote User Sync Rule is a "Set a list of imported remote LDAP users".

noother10

Looks like it stripped my group from the RADIUS connection to the FortiGate when I made the Remote User Sync Rule. I've re-added it, but now having issues with FTM push, so gotta test that.

 

Labels
Top Kudoed Authors