Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiAnalyzer 5.6.2 - LDAP groups problem


I tried to configure two LDAP groups to authenticate to the FortiAnalyzer.

I succeed to configure the first group (admins) include the wildcard flag.

I want to add the second group with view-only privileges but I can't set the wildcard flag again.


when I try to add the wildcard to the second group I get the following error:

A wildcard administrator already exists object set operator error, -15 discard the setting


Also, I came across with the following article

 but it does not help to my issue.


Configuration Below:

config system admin ldap edit "Ldap_Admins" set server "x.x.x.x" set cnid "sAMAccountname" set dn "DC=ceragon,DC=com" set type regular set username "" set password ENC  set group "CN=IT-MANAGEMENT,...,DC=ceragon,DC=com" set filter "(&(objectcategory=group)(member=*))" set adom "all_adoms" next edit "Ldap_Viewer" set server "x.x.x.x" set cnid "sAMAccountname" set dn "DC=ceragon,DC=com" set type regular set username "" set password ENC  set group "CN=IT-VIEWER,...,DC=ceragon,DC=com" set filter "(&(objectcategory=group)(member=*))" set adom "all_adoms" next end


config system admin user

edit "LDAP_Admin_Users"

set profileid "Super_User" set adom "all_adoms" set policy-package "all_policy_packages" set user_type ldap set ldap-server "Ldap_Admins"

set wildcard enable


edit "LDAP_Viewer_Users"

set profileid "Read_Only" set adom "all_adoms" set policy-package "all_policy_packages" set user_type ldap set ldap-server "LDAP_Viewers"





Thank you in advance.



In FortiAnalyzer 5.6, we can only have one wildcard Admin. So if you are trying to create multiple wildcard Admins, it won't be possible.

For your requirement, RADIUS can be used. you can create one RADIUS wildcard admin in FortiAnalyzer and on the server side(NPS in case of WinServer), you can use RADIUS VSA's to assign different groups different privileges(ADOM and profile).

VSA#3 is for  ADOM, VSA#6 is for access profile



Mantaran Singh


Thanks for your assistance.

We don't have a radius server in my company, therefore, I can't use it.

I guess I gonna wait until Fortinet kindly will add this option too like they have it in the firewalls...


Thanks anyway.


I ran into this issue as well setting up an analyzer for a customer, attempting to match the same setup on the fortigate done with ldap, and finding out the hard way with support this isn't supported.  Rather absurd faz/fmg work entirely differently from the fgt's, and not even getting into the other platforms out there.  So much for consistent experience.


I made a feature request for this around the same time last year through my account team to fix this as well.  I would encourage you to do so as well if not done already.  I should think not hard, just copy the fortigate team's work, done.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors