Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Robin_Svanberg
Contributor

FortiManager 5.2.4 and LDAP groups not working

Trying to configure LDAP for a FortiManager 5.2.4 but can´t get it working.

 

Configured a ldap server with the group that they should be a member of, but when I apply it users of that group can´t login.

 

[ul]
  • Is there any equivalent to the Fortigate diag test auth ldap ?
  • Is there any logs to check? (Eventlog only says "User 'xxxx' login failed from GUI(10.241.241.2), reason:Authentication failure. Please try again...")
  • Anything that you can see that´s not configured properly in the configuration below?[/ul]

     

    Configuration below

    config system admin ldap edit "ldaps_domain" set server "dc1" set secondary-server "dc2" set cnid "cn" set dn "DC=domain,DC=tld" set port 636 set type regular set username "CN=sausername,OU=Service Accounts,OU=Internal IT,OU=ROOT,DC=domain,DC=tld" set password ENC ******* set group "CN=sg_FortiManagerAdministrators,OU=Groups,OU=ROOT,DC=domain,DC=tld" set secure ldaps set ca-cert "CA_Cert_1" set adom "all_adoms" next end

  •  

    Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

     

    robin.svanberg@ethersec.se

    Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden robin.svanberg@ethersec.se
    1 Solution
    Carl_Wallmark

    Robin,

     

    I tried it on my own FortiManager and I have it working:

     

    name                : Server01

    server              : 1.1.1.1 secondary-server    : (null) tertiary-server     : (null) cnid                : samAccountName dn                  : DC=company,DC=org port                : 389 type                : regular username            : sa@company.org password            : * group               : CN=ADM Accounts,OU=Security Groups,OU=Administration,DC=company,DC=org filter              : (&(objectcategory=group)(member=*)) attributes          : member secure              : disable connect-timeout     : 500

     

    Then create a new user and check the "Wildcard" and chose LDAP and your server.

    Notice that I have changed the filter according to:

    http://kb.fortinet.com/kb...=8412764&stateId=0 0 73082795

     

    FCNSA, FCNSP
    ---
    FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
    FortiAnalyzer 100B, 100C
    FortiMail 100,100C
    FortiManager VM
    FortiAuthenticator VM
    FortiToken
    FortiAP 220B/221B, 11C

    View solution in original post

    FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
    6 REPLIES 6
    Carl_Wallmark
    Valued Contributor

    Hi Robin,

     

    What are your users using as login name ? I see that you have choosen the standard "cn" in cnid.

    Try to change to "sAMAccountName" which is the username in Windows.

    FCNSA, FCNSP
    ---
    FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
    FortiAnalyzer 100B, 100C
    FortiMail 100,100C
    FortiManager VM
    FortiAuthenticator VM
    FortiToken
    FortiAP 220B/221B, 11C

    FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
    Robin_Svanberg

    Hi, Normally use sAMAccountName so tried with cn just in case :) If I remove the group within ldap server config, auth works.

     

    Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

     

    robin.svanberg@ethersec.se

    Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden robin.svanberg@ethersec.se
    Carl_Wallmark

    Robin,

     

    I tried it on my own FortiManager and I have it working:

     

    name                : Server01

    server              : 1.1.1.1 secondary-server    : (null) tertiary-server     : (null) cnid                : samAccountName dn                  : DC=company,DC=org port                : 389 type                : regular username            : sa@company.org password            : * group               : CN=ADM Accounts,OU=Security Groups,OU=Administration,DC=company,DC=org filter              : (&(objectcategory=group)(member=*)) attributes          : member secure              : disable connect-timeout     : 500

     

    Then create a new user and check the "Wildcard" and chose LDAP and your server.

    Notice that I have changed the filter according to:

    http://kb.fortinet.com/kb...=8412764&stateId=0 0 73082795

     

    FCNSA, FCNSP
    ---
    FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
    FortiAnalyzer 100B, 100C
    FortiMail 100,100C
    FortiManager VM
    FortiAuthenticator VM
    FortiToken
    FortiAP 220B/221B, 11C

    FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
    Robin_Svanberg

    Sweet, didn´t fint that KB. Works perfectly now, thanks!

     

    Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

     

    robin.svanberg@ethersec.se

    Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden robin.svanberg@ethersec.se
    Carl_Wallmark

    Glad it worked for you!

    FCNSA, FCNSP
    ---
    FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
    FortiAnalyzer 100B, 100C
    FortiMail 100,100C
    FortiManager VM
    FortiAuthenticator VM
    FortiToken
    FortiAP 220B/221B, 11C

    FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
    echo

    It was the same for me (FAZ400E 6.0.3): Google didn't find that article for me, and the only thing missing was that specific filter. Thank you!

     

    I wonder why isn't it like that in the first place by default? What other scenario is there for LDAP auth so that it hasn't been set to that value? I want just authentication not do any specific searches or something.

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors