Ufff hope this will work out...but yea this is maybe a point.

Our UPN @ reflects not our Domain Name (domain name = domain.local but user up is @domain.de). Additionally, our upn differs from the samaccountname.

I will give it a shot and let you know.

so many thanks for this hint
just to mention it, your article is outdated :)
set account-key-name
is not available in FortiOS 6.0.14
instead "set account-key-filter", is available, so i tried:
set account-key-filter "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

And it worked out well, seems to run, yihaa. So for anyone else, this is how our config looks like

config user ldap
edit "dc03.domain.local"
set server "dc03.domain.local"
set cnid "cn"
set dn "dc=domain,dc=local"
set type regular
set username "CN=blabla,OU=Accounts,OU=FortiGate,DC=domain,DC=local"
set password ENC
set secure ldaps
set ca-cert "DOMAIN_ROOT_CA"
set port 636
set account-key-processing strip
set account-key-filter "(&(sAMAccountName=%s)(!UserAccountControl:1.2.840.113556.1.4.803:=2))"
next

Great help

Sadly what worked yesterday...stopped working today

Hey Wurstsalat,

sorry to hear that it stopped working!

Are you getting the group query failed error again, or something else?

Same error and log entries

Ldap connection tests are still successful, browsing directory still works

Hey Wurstsalat,

ok, in that case I would suggest some debug to figure out what's going on with the group query.

The commands:
#dia de reset
#dia de app fnbamd -1
#dia de en

-> fnbamd daemon handles communication to remote LDAP (including the group lookup post-Kerberos auth)

-> try to access explicit proxy until you get the error

-> to end the debug:
#dia de dis
#dia de reset
That debug should contain some details about binding to LDAP, querying the user, and then (if it finds the user) doing a memberOf search.

[882] __ldap_rxtx-Change state to 'DN search'
[815] __ldap_rxtx-state 11(DN search)
[592] fnbamd_ldap_build_dn_search_req-base:'dc=domain,dc=local' filter:(&(sAMAccountName=mysamaccountname)(!UserAccountControl:1.2.840.113556.1.4.803:=2))
[598] fnbamd_ldap_build_dn_search_req-Error in ldap_search
[736] __ldap_error-
[725] __ldap_stop-svr 's-dc03.domain.local'
[3112] fnbamd_ldap_result-Error (5) for req 887105992
[181] fnbamd_comm_send_result-Sending result 5 (error 0, nid 0) for req 887105992
[736] destroy_auth_session-delete session 887105992

While "(&(sAMAccountName=mysamaccountname)(!UserAccountControl:1.2.840.113556.1.4.803:=2))" used with powershell module for active directory and get-aduser -ldapfilter...i get my user back. So syntax is correct

Wireshark on the dc shows me the traffic on port 636 to domain controller...so dont get whats the problem

edit2

Found again a solution but i am unsure if this is a bug or not

This one doesnt work (but pretty sure this worked earlier but stopped for now)
set account-key-filter "(&(sAMAccountName=%s)(!UserAccountControl:1.2.840.113556.1.4.803:=2))"
But this is working in any active directory tool as ldap filter

Instead this one works (for now)
set account-key-filter "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

Mention the addition ( before ! and ) at the end

Thanks for sharing, Wurstsalat :)

I'm not entirely sure if this would count as a bug or not, the debug options on Fortigate don't show very much if the FortiGate has issues with the LDAP filter syntax (and it doesn't explain why the first filter was working for you for a bit).

If I find the time, I'll do some tests in the lab to see why syntax is accepted by the FortiGate and/or fails later.