Hi,
Im trying to use Open Directory LDAP authentication for VPN logins.
I've set it up for multiple Active Directories and it works great.
But Open Directory does not have a memberOf attribute on user object.
I have found a couple of suggestions on google, but have found nothing that works.
my config is:
config user ldap
edit ldap_name
cnid mail
dn dc=server,dc=domain,dc=local
type regular
username uid=username,cn=users,dc=server,dc=domain,dc=local
password *
group-member-check group-object
group-object-filter "(&(objectclass=posixserver)(memberUid=*))"
member-attr gidNumber
end
If I allow any LDAP group in Group on Fortigate it works.
If I try to specify a group it doesn't match.
I understand that this will not work, since gidNumber on user is only default group.
How can I make fortigate search group objects for user members?
\\ Torgny
Solved! Go to Solution.
Hi Torgnyw,
maybe you group-object filter or member-attr is not correct.
"(&(objectclass=posixserver)(memberUid=*))" -> check if group object is "posixserver" and it does have users listed using "memberUid".
also member-attr change to attribute which lists users in the group object.
For example, my lab OpenLDAP does have it like this:
group-object-filter "(&(objectclass=groupOfUniqueNames)(uniqueMember=*))" member-attr "uniqueMember"
My 2c,
Fishbone )(
smithproxy hacker - www.smithproxy.org
Do know if this helps but you can specify groups under the config user group and use that in your ssl policies.
config user group edit "CA_Users_NA" next edit "GROUPAD1" set member "LDAPGRP1" config match edit 1 set server-name "LDAPGRP1" set group-name "CN=SSLVPNCAN,CN=Users,DC=1plus1eq2,DC=com" next end next end
Could you do it that way and use the group for the sslvpn policy?
PCNSE
NSE
StrongSwan
Hi Torgnyw,
maybe you group-object filter or member-attr is not correct.
"(&(objectclass=posixserver)(memberUid=*))" -> check if group object is "posixserver" and it does have users listed using "memberUid".
also member-attr change to attribute which lists users in the group object.
For example, my lab OpenLDAP does have it like this:
group-object-filter "(&(objectclass=groupOfUniqueNames)(uniqueMember=*))" member-attr "uniqueMember"
My 2c,
Fishbone )(
smithproxy hacker - www.smithproxy.org
Thanks for answer Fishbone_FTNT.
I've now have it working, but only if I use uid as cnid.
It will then browse all groups matching filter, and look for member-attr field (memberUid).
There the uid of the user is listed, and validated.
If i use mail field as cnid, is there anyway to get it to still match group membership based on uid?
I have multiple companies logging in to this firewall, and would like to use email as username to make a clear distinction on what company they are logging in to.
\\
Torgny
\\ Torgny
Hi Torgny,
oh I see. I overlooked your cnid set to email. But it should work with this too, since users are matched from groups based on their DNs. In other words, cnid and username is used just to find DN.
It works like this:
* First user has to be found in LDAP. 'dn' is searched for 'cnid'=<connecting user>
* If search is successful, DN is remembered as unique identifier of user (that's why we have DN actually :) ).
* LDAP bind for this DN is used to verify if the password (eg. sent across vpn)
* continuing if bind was ok
* Member check: normally values of 'memberOf' are taken -> END
* if you need to search ldap tree, continue
* Now Fortigate takes all ldap groups (objects filtered by setting above) one by one, and checks all of them for its member attribute values. Which is always DN.
This last step might differ from Fortigate feature to feature a bit, but roughly it's like that.
Fishbone )(
smithproxy hacker - www.smithproxy.org
Ok, I see.
I think the problem is the schema of Open Directory.
The list of members in group is only listed with uid value.
I see a list of usernames (uid) in debug, and match if I use uid as cnid,
but no match if I use mail.
I guess I can have the users use there uid to get it to work.
or maybe import users from ldap and add them to a local group on firewall.
\\
Torgny
\\ Torgny
Yep, you can also create local users with LDAP password. If it's not too many of them, it might be the way.
Fishbone )(
smithproxy hacker - www.smithproxy.org
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.