Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FAC as LDAP-Server - memberOf filter not working

We want to use the FAC as LDAP-Server with the built-in LDAP-Service feature. So we use only local users and groups.


But we can't filter, when we are using memberOf in the filter criteria



ldapsearch -W -x -b "dc=auth,dc=example,dc=net" -H "ldap://" -D "UID=ldapbind,DC=auth,DC=example,DC=net" "(objectClass=facPerson)"
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <dc=auth,dc=example,dc=net> with scope subtree
# filter: (objectClass=facPerson)
# requesting: ALL

# sascha, users,
dn: uid=sascha,ou=users,dc=auth,dc=example,dc=net
objectClass: facPerson
objectClass: inetLocalMailRecipient
objectClass: inetOrgPerson
objectClass: nisMailAlias
objectClass: organizationalPerson
objectClass: person
cn:: IA==
uid: sascha
memberOf: cn=officevpn,ou=groups,dc=auth,dc=example,dc=net


not working

ldapsearch -W -x -b "dc=auth,dc=example,dc=net" -H "ldap://" -D "UID=ldapbind,DC=auth,DC=example,DC=net" "(&(objectClass=facPerson)(memberOf=cn=officevpn,ou=groups,dc=auth,dc=example,dc=net))"
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <dc=auth,dc=example,dc=net> with scope subtree
# filter: (&(objectClass=facPerson)(memberOf=cn=officevpn,ou=groups,dc=auth,dc=example,dc=net))
# requesting: ALL
# search result
search: 2
result: 0 Success
# numResponses: 1


In openldap server scanerios, we know that memberOf must be enabled. Is there any special with FAC also?


On FortiAuthenticator (FAC hereinafter) the group objects do have structural objectClasses =  facGroup, groupOfNames.

User objects (uid) do have "memberOf" attribute containing the names of their respective group membership.

But there are no distinguished names of members inside the groups (only "rfc822MailMember" attribute) as you could see from ldapsearch result for group object.


LDAP implementation on FAC is very simple and rarely used. More often I see users imported to FAC from outer LDAP (like from MS Active Directory).

Speaking of dividing users into groups and driving access privileges/levels based on group membership ..

Usually I see group membership (for active auth, not talking about SSO here) handled via RADIUS AVPs.

For RADIUS "group match" on FortiGate there is Fortinet-Group-Name AVP in Fortinet's directory.

Any 3rd party would probably use something like Class from Default directory, but check what's group match AVP for your specific RADIUS client.

Just check "RADIUS Attributes" on FAC either under user or group properties. Yes, those RADIUS AVPs can be inherited from group to all underlying users.

With one exception, users with role=Administrator (which are supposed to be user accounts used exclusively for FAC administration) do not inherit any AVPs, even if you would explicitly allow them to authenticate via RADIUS ("Allow RADIUS authentication" which is by default disabled once the user role changes to Administrator or Sponsor (admins for guest management)).


Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Top Kudoed Authors