We want to use the FAC as LDAP-Server with the built-in LDAP-Service feature. So we use only local users and groups.
But we can't filter, when we are using memberOf in the filter criteria
OK
ldapsearch -W -x -b "dc=auth,dc=example,dc=net" -H "ldap://192.168.11.6" -D "UID=ldapbind,DC=auth,DC=example,DC=net" "(objectClass=facPerson)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=auth,dc=example,dc=net> with scope subtree
# filter: (objectClass=facPerson)
# requesting: ALL
#
# sascha, users, auth.example.net
dn: uid=sascha,ou=users,dc=auth,dc=example,dc=net
objectClass: facPerson
objectClass: inetLocalMailRecipient
objectClass: inetOrgPerson
objectClass: nisMailAlias
objectClass: organizationalPerson
objectClass: person
cn:: IA==
uid: sascha
memberOf: cn=officevpn,ou=groups,dc=auth,dc=example,dc=net
not working
ldapsearch -W -x -b "dc=auth,dc=example,dc=net" -H "ldap://192.168.11.6" -D "UID=ldapbind,DC=auth,DC=example,DC=net" "(&(objectClass=facPerson)(memberOf=cn=officevpn,ou=groups,dc=auth,dc=example,dc=net))"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=auth,dc=example,dc=net> with scope subtree
# filter: (&(objectClass=facPerson)(memberOf=cn=officevpn,ou=groups,dc=auth,dc=example,dc=net))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
In openldap server scanerios, we know that memberOf must be enabled. Is there any special with FAC also?
On FortiAuthenticator (FAC hereinafter) the group objects do have structural objectClasses = facGroup, groupOfNames.
User objects (uid) do have "memberOf" attribute containing the names of their respective group membership.
But there are no distinguished names of members inside the groups (only "rfc822MailMember" attribute) as you could see from ldapsearch result for group object.
LDAP implementation on FAC is very simple and rarely used. More often I see users imported to FAC from outer LDAP (like from MS Active Directory).
Speaking of dividing users into groups and driving access privileges/levels based on group membership ..
Usually I see group membership (for active auth, not talking about SSO here) handled via RADIUS AVPs.
For RADIUS "group match" on FortiGate there is Fortinet-Group-Name AVP in Fortinet's directory.
Any 3rd party would probably use something like Class from Default directory, but check what's group match AVP for your specific RADIUS client.
Just check "RADIUS Attributes" on FAC either under user or group properties. Yes, those RADIUS AVPs can be inherited from group to all underlying users.
With one exception, users with role=Administrator (which are supposed to be user accounts used exclusively for FAC administration) do not inherit any AVPs, even if you would explicitly allow them to authenticate via RADIUS ("Allow RADIUS authentication" which is by default disabled once the user role changes to Administrator or Sponsor (admins for guest management)).
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1843 | |
1130 | |
769 | |
447 | |
258 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.