- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Apple Open Directory
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apple Open Directory
Hi,
Im trying to use Open Directory LDAP authentication for VPN logins.
I've set it up for multiple Active Directories and it works great.
But Open Directory does not have a memberOf attribute on user object.
I have found a couple of suggestions on google, but have found nothing that works.
my config is:
config user ldap
edit ldap_name
cnid mail
dn dc=server,dc=domain,dc=local
type regular
username uid=username,cn=users,dc=server,dc=domain,dc=local
password *
group-member-check group-object
group-object-filter "(&(objectclass=posixserver)(memberUid=*))"
member-attr gidNumber
end
If I allow any LDAP group in Group on Fortigate it works.
If I try to specify a group it doesn't match.
I understand that this will not work, since gidNumber on user is only default group.
How can I make fortigate search group objects for user members?
\\ Torgny
Solved! Go to Solution.
\\ Torgny
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Torgnyw,
maybe you group-object filter or member-attr is not correct.
"(&(objectclass=posixserver)(memberUid=*))" -> check if group object is "posixserver" and it does have users listed using "memberUid".
also member-attr change to attribute which lists users in the group object.
For example, my lab OpenLDAP does have it like this:
group-object-filter "(&(objectclass=groupOfUniqueNames)(uniqueMember=*))" member-attr "uniqueMember"
My 2c,
Fishbone )(
smithproxy hacker - www.smithproxy.org
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do know if this helps but you can specify groups under the config user group and use that in your ssl policies.
config user group edit "CA_Users_NA" next edit "GROUPAD1" set member "LDAPGRP1" config match edit 1 set server-name "LDAPGRP1" set group-name "CN=SSLVPNCAN,CN=Users,DC=1plus1eq2,DC=com" next end next end
Could you do it that way and use the group for the sslvpn policy?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Torgnyw,
maybe you group-object filter or member-attr is not correct.
"(&(objectclass=posixserver)(memberUid=*))" -> check if group object is "posixserver" and it does have users listed using "memberUid".
also member-attr change to attribute which lists users in the group object.
For example, my lab OpenLDAP does have it like this:
group-object-filter "(&(objectclass=groupOfUniqueNames)(uniqueMember=*))" member-attr "uniqueMember"
My 2c,
Fishbone )(
smithproxy hacker - www.smithproxy.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for answer Fishbone_FTNT.
I've now have it working, but only if I use uid as cnid.
It will then browse all groups matching filter, and look for member-attr field (memberUid).
There the uid of the user is listed, and validated.
If i use mail field as cnid, is there anyway to get it to still match group membership based on uid?
I have multiple companies logging in to this firewall, and would like to use email as username to make a clear distinction on what company they are logging in to.
\\
Torgny
\\ Torgny
\\ Torgny
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Torgny,
oh I see. I overlooked your cnid set to email. But it should work with this too, since users are matched from groups based on their DNs. In other words, cnid and username is used just to find DN.
It works like this:
* First user has to be found in LDAP. 'dn' is searched for 'cnid'=<connecting user>
* If search is successful, DN is remembered as unique identifier of user (that's why we have DN actually :) ).
* LDAP bind for this DN is used to verify if the password (eg. sent across vpn)
* continuing if bind was ok
* Member check: normally values of 'memberOf' are taken -> END
* if you need to search ldap tree, continue
* Now Fortigate takes all ldap groups (objects filtered by setting above) one by one, and checks all of them for its member attribute values. Which is always DN.
This last step might differ from Fortigate feature to feature a bit, but roughly it's like that.
Fishbone )(
smithproxy hacker - www.smithproxy.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I see.
I think the problem is the schema of Open Directory.
The list of members in group is only listed with uid value.
I see a list of usernames (uid) in debug, and match if I use uid as cnid,
but no match if I use mail.
I guess I can have the users use there uid to get it to work.
or maybe import users from ldap and add them to a local group on firewall.
\\
Torgny
\\ Torgny
\\ Torgny
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, you can also create local users with LDAP password. If it's not too many of them, it might be the way.
Fishbone )(
smithproxy hacker - www.smithproxy.org
Related Posts
Labels
-
FortiGate
6,858 -
FortiClient
1,359 -
5.2
801 -
5.4
639 -
FortiManager
587 -
FortiAnalyzer
432 -
6.0
416 -
5.6
362 -
FortiAP
358 -
FortiSwitch
353 -
FortiClient EMS
277 -
FortiMail
267 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
165 -
6.4
128 -
FortiNAC
115 -
FortiGuard
109 -
IPsec
94 -
FortiSIEM
91 -
FortiGateCloud
90 -
FortiCloud Products
85 -
SSL-VPN
75 -
FortiToken
74 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiDNS
35 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
27 -
VLAN
26 -
FortiAuthenticator
25 -
FortiConnect
24 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiGate v5.2
17 -
FortiSwitch v6.2
16 -
DNS
16 -
Certificate
16 -
SAML
15 -
BGP
15 -
LDAP
15 -
VDOM
15 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Authentication
12 -
fortilink
12 -
Routing
12 -
FortiCASB
12 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Traffic shaping policy
6 -
FortiBridge
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
FortiAP profile
5 -
WAN optimization
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.