Hi,
I tried to configure two LDAP groups to authenticate to the FortiAnalyzer.
I succeed to configure the first group (admins) include the wildcard flag.
I want to add the second group with view-only privileges but I can't set the wildcard flag again.
when I try to add the wildcard to the second group I get the following error:
A wildcard administrator already exists object set operator error, -15 discard the setting
Also, I came across with the following article http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37328&sliceId=1...
but it does not help to my issue.
Configuration Below:
config system admin ldap edit "Ldap_Admins" set server "x.x.x.x" set cnid "sAMAccountname" set dn "DC=ceragon,DC=com" set type regular set username "networkldap@ceragon.com" set password ENC set group "CN=IT-MANAGEMENT,...,DC=ceragon,DC=com" set filter "(&(objectcategory=group)(member=*))" set adom "all_adoms" next edit "Ldap_Viewer" set server "x.x.x.x" set cnid "sAMAccountname" set dn "DC=ceragon,DC=com" set type regular set username "networkldap@ceragon.com" set password ENC set group "CN=IT-VIEWER,...,DC=ceragon,DC=com" set filter "(&(objectcategory=group)(member=*))" set adom "all_adoms" next end
!
config system admin user
edit "LDAP_Admin_Users"
set profileid "Super_User" set adom "all_adoms" set policy-package "all_policy_packages" set user_type ldap set ldap-server "Ldap_Admins"
set wildcard enable
next
edit "LDAP_Viewer_Users"
set profileid "Read_Only" set adom "all_adoms" set policy-package "all_policy_packages" set user_type ldap set ldap-server "LDAP_Viewers"
next
end
!
Thank you in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
In FortiAnalyzer 5.6, we can only have one wildcard Admin. So if you are trying to create multiple wildcard Admins, it won't be possible.
For your requirement, RADIUS can be used. you can create one RADIUS wildcard admin in FortiAnalyzer and on the server side(NPS in case of WinServer), you can use RADIUS VSA's to assign different groups different privileges(ADOM and profile).
VSA#3 is for ADOM, VSA#6 is for access profile
Thanks
Mantaran Singh
Thanks for your assistance.
We don't have a radius server in my company, therefore, I can't use it.
I guess I gonna wait until Fortinet kindly will add this option too like they have it in the firewalls...
Thanks anyway.
I ran into this issue as well setting up an analyzer for a customer, attempting to match the same setup on the fortigate done with ldap, and finding out the hard way with support this isn't supported. Rather absurd faz/fmg work entirely differently from the fgt's, and not even getting into the other platforms out there. So much for consistent experience.
I made a feature request for this around the same time last year through my account team to fix this as well. I would encourage you to do so as well if not done already. I should think not hard, just copy the fortigate team's work, done.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.