Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
torgnyw
New Contributor

Apple Open Directory

Hi,

 

Im trying to use Open Directory LDAP authentication for VPN logins.

I've set it up for multiple Active Directories and it works great.

But Open Directory does not have a memberOf attribute on user object.

I have found a couple of suggestions on google, but have found nothing that works.

 

my config is:

config user ldap
   edit ldap_name
      cnid mail
      dn dc=server,dc=domain,dc=local
      type regular
      username uid=username,cn=users,dc=server,dc=domain,dc=local
      password *
      group-member-check group-object
      group-object-filter "(&(objectclass=posixserver)(memberUid=*))"
      member-attr gidNumber
end

 

If I allow any LDAP group in Group on Fortigate it works.

If I try to specify a group it doesn't match.

 

I understand that this will not work, since gidNumber on user is only default group.

How can I make fortigate search group objects for user members?

\\ Torgny

\\ Torgny
1 Solution
Fishbone_FTNT

Hi Torgnyw,

maybe you group-object filter or member-attr is not correct.

"(&(objectclass=posixserver)(memberUid=*))" -> check if group object is "posixserver" and it does have users listed using  "memberUid".

also member-attr change to attribute which lists users in the group object.

 

For example, my lab OpenLDAP does have it like this:

 

group-object-filter "(&(objectclass=groupOfUniqueNames)(uniqueMember=*))" member-attr "uniqueMember"

 

My 2c,

 Fishbone )(

smithproxy hacker - www.smithproxy.org

View solution in original post

6 REPLIES 6
emnoc
Esteemed Contributor III

Do know if this helps but you can specify groups under the config user group and use that in your ssl policies.

 

config user group     edit "CA_Users_NA"     next     edit "GROUPAD1"         set member "LDAPGRP1"             config match                 edit 1                     set server-name "LDAPGRP1"                     set group-name "CN=SSLVPNCAN,CN=Users,DC=1plus1eq2,DC=com"                 next             end     next end

Could you do it that way and use the group for the sslvpn policy?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Fishbone_FTNT

Hi Torgnyw,

maybe you group-object filter or member-attr is not correct.

"(&(objectclass=posixserver)(memberUid=*))" -> check if group object is "posixserver" and it does have users listed using  "memberUid".

also member-attr change to attribute which lists users in the group object.

 

For example, my lab OpenLDAP does have it like this:

 

group-object-filter "(&(objectclass=groupOfUniqueNames)(uniqueMember=*))" member-attr "uniqueMember"

 

My 2c,

 Fishbone )(

smithproxy hacker - www.smithproxy.org

torgnyw

Thanks for answer Fishbone_FTNT.

I've now have it working, but only if I use uid as cnid.

It will then browse all groups matching filter, and look for member-attr field (memberUid).

There the uid of the user is listed, and validated.

If i use mail field as cnid, is there anyway to get it to still match group membership based on uid?

 

I have multiple companies logging in to this firewall, and would like to use email as username to make a clear distinction on what company they are logging in to.

 

\\

Torgny 

 

 

\\ Torgny

\\ Torgny
Fishbone_FTNT

Hi Torgny,

oh I see. I overlooked your cnid set to email. But it should work with this too, since users are matched from groups based on their DNs.  In other words, cnid and username is used just to find DN.

 

It works like this:

* First user has to be found in LDAP.  'dn' is searched for 'cnid'=<connecting user>

* If search is successful, DN is remembered as unique identifier of user (that's why we have DN actually :) ).

* LDAP bind for this DN is used to verify if the password (eg. sent across vpn)

* continuing if bind was ok

* Member check: normally values of 'memberOf' are taken  -> END

* if you need to search ldap tree, continue

* Now Fortigate takes all ldap groups (objects filtered by setting above) one by one, and checks all of them for its member attribute values. Which is always DN.

This last step might differ from Fortigate feature to feature a bit, but roughly it's like that.

 

Fishbone )(

smithproxy hacker - www.smithproxy.org

torgnyw

Ok, I see.

I think the problem is the schema of Open Directory.

The list of members in group is only listed with uid value.

I see a list of usernames (uid) in debug, and match if I use uid as cnid, 

but no match if I use mail.

 

I guess I can have the users use there uid to get it to work.

or maybe import users from ldap and add them to a local group on firewall.

 

\\

Torgny

\\ Torgny

\\ Torgny
Fishbone_FTNT

Yep, you can also create local users with LDAP password. If it's not too many of them, it might be the way.

Fishbone )(

smithproxy hacker - www.smithproxy.org

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors