Trying to configure LDAP for a FortiManager 5.2.4 but can´t get it working.
Configured a ldap server with the group that they should be a member of, but when I apply it users of that group can´t login.
[ul]
Configuration below
config system admin ldap edit "ldaps_domain" set server "dc1" set secondary-server "dc2" set cnid "cn" set dn "DC=domain,DC=tld" set port 636 set type regular set username "CN=sausername,OU=Service Accounts,OU=Internal IT,OU=ROOT,DC=domain,DC=tld" set password ENC ******* set group "CN=sg_FortiManagerAdministrators,OU=Groups,OU=ROOT,DC=domain,DC=tld" set secure ldaps set ca-cert "CA_Cert_1" set adom "all_adoms" next end
Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden
robin.svanberg@ethersec.se
Solved! Go to Solution.
Robin,
I tried it on my own FortiManager and I have it working:
name : Server01
server : 1.1.1.1 secondary-server : (null) tertiary-server : (null) cnid : samAccountName dn : DC=company,DC=org port : 389 type : regular username : sa@company.org password : * group : CN=ADM Accounts,OU=Security Groups,OU=Administration,DC=company,DC=org filter : (&(objectcategory=group)(member=*)) attributes : member secure : disable connect-timeout : 500
Then create a new user and check the "Wildcard" and chose LDAP and your server.
Notice that I have changed the filter according to:
http://kb.fortinet.com/kb...=8412764&stateId=0 0 73082795
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Hi Robin,
What are your users using as login name ? I see that you have choosen the standard "cn" in cnid.
Try to change to "sAMAccountName" which is the username in Windows.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden
robin.svanberg@ethersec.se
Robin,
I tried it on my own FortiManager and I have it working:
name : Server01
server : 1.1.1.1 secondary-server : (null) tertiary-server : (null) cnid : samAccountName dn : DC=company,DC=org port : 389 type : regular username : sa@company.org password : * group : CN=ADM Accounts,OU=Security Groups,OU=Administration,DC=company,DC=org filter : (&(objectcategory=group)(member=*)) attributes : member secure : disable connect-timeout : 500
Then create a new user and check the "Wildcard" and chose LDAP and your server.
Notice that I have changed the filter according to:
http://kb.fortinet.com/kb...=8412764&stateId=0 0 73082795
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Sweet, didn´t fint that KB. Works perfectly now, thanks!
Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden
robin.svanberg@ethersec.se
Glad it worked for you!
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
It was the same for me (FAZ400E 6.0.3): Google didn't find that article for me, and the only thing missing was that specific filter. Thank you!
I wonder why isn't it like that in the first place by default? What other scenario is there for LDAP auth so that it hasn't been set to that value? I want just authentication not do any specific searches or something.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.