Hi there,

was anyone able to authenticate AD Accounts in nested Groups?

For example we have an AD group "FortiAnaylzer-SuperUser", in this group we have roles for administrative accounts but it wont work

Our config looks as follows:

config system admin ldap
    edit "domain_local"
        set server "192.168.1.1"
        set secondary-server "192.168.1.2"
        set cnid "sAMAccountName"
        set dn "OU=01-OrgUnit,DC=domain,DC=local"
        set port 636
        set type regular
        set username "CN=ldapfortinet,OU=Users,OU=01-OrgUnit,DC=domain,DC=local"
        set password ENC <0>
        set group "CN=FortiAnaylzer-SuperUser,OU=Firewall,OU=Groups,OU=01-OrgUnit,DC=domain,DC=local"
        set filter "(&(objectcategory=group)(member=*))"
        set secure ldaps
        set ca-cert "CA_Cert_1"
            set adom "all_adoms"
    next

what i dont get is why we need to set "filter"...but anyway with this config only "direct memberships" will work cause of the filter.

When we change the filter to include nested/path members as follows

set filter "(&(memberOf:1.2.840.113556.1.4.1941:=CN=FortiAnaylzer-SuperUser,OU=Firewall,OU=Groups,OU=01-OrgUnit,DC=domain,DC=local)(objectCategory=person)(objectClass=user)(sAMAccountName=*))" (yea i know heavy load on ldap)

(documentation see https://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx )

We are still unable to logon with members which are group members of Groups which are members of the "FortiAnaylzer-SuperUser" group. The filter seems to be "directed" to the group but an "member:1.2.840.113556.1.4.1941:=*" wont work and if i had to include all users in the filter the group itself is senseless.

Was anyone able to do the described scenario?

Kind regards