6.2 Active Directory Recursive Search Option vs 5.6 LDAP Nested Group settings

scerazy · ‎04-24-2019

Does the new settings in 6.2 directly replaces LDAP Nested Group settings in 5.6

Does config gets upgraded (on firmware upgrade) or one needs to remove old settings & replace them with new MANUALLY?

Seb

xsilver_FTNT · ‎04-25-2019

Hi Seb,

as you might get tested by yourself, then: - it is NOT full replacement of group filter, as new option 'search-type recursive' will NOT return built-in user groups from AD - firmware upgrade will NOT update and replace your custom group-filter with 'search-type recursive', however there is no need to panic as your old group-filter will still work in 6.2. If you want to change, you'll need to do it manually. Retested on 6.0.4 and 6.2.0 and FortiGate VM upgraded via FortiGuard. Thanks for hint, I'll start with upgrade of the KB.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

scerazy · ‎04-25-2019

Sorry, could you clarify? - "will NOT return built-in user groups from AD" - you do mean literally AD built-in user groups

Which itself is not an issue (I expect for anybody), as none of these groups would be used for webfiltering etc)

But it does return all user custom-made groups, right?

Seb

xsilver_FTNT · ‎04-25-2019

Hi Seb,

yes I mean none of AD Builtin user groups like 'Remote Desktop Users' is returned with search-type = recursive, while those are returned with group-filter mentioned in KB. I also do not think it's a big issue as most often deployments do use custom groups to categorize users to access right groups and all those, including nested groups, are returned OK.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

6.2 Active Directory Recursive Search Option vs 5.6 LDAP Nested Group settings

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website