Hi!
I am in a situation that I need to setup LDAPS connection towards OpenLDAP server that uses posix accounts and groups. Meaning it does not have memberOf attribute to check for user group memberships. This group checking would need to happen using gidNumber (group ID) from user data or from group data using memberUid attribute. Here is what I have been trying to get to work so far.
I have been trying to Google this for a couple of hours now how to do this.
A sample OpenLDAP structure:
DC=acme,DC=local
- OU=department
- - OU=Users
- - - UID=timothy.tester
- - - UID=david.demo
- - - UID=donald.duck
- - - UID=mickey.mouse
- - OU=Groups
- - - CN=SMS
- - - CN=VPN
- - - CN=Others
- - uid=admin
SMS group has attributes as:
objectClass=posixGroup
gidNumber=12345 (the group ID)
cn=SMS
memberUid=timothy.tester
User Timothy Tester has attributes as:
objectClass posixAccount
displayName=Timothy Tester
uidNumber=11111 (user ID)
gidNumber=12345 (the group ID of SMS group)
uid=timothy.tester
userPassword= ...
VPN group has attributes as:
objectClass=posixGroup
gidNumber=67890 (the group ID)
cn=VPN
memberUid=david.demo
User David Demo has attributes as:
objectClass posixAccount
displayName=David Demo
uidNumber=22222 (user ID)
gidNumber=67890 (the group ID of VPNgroup)
uid=david.demo
userPassword= ...
What I am trying to do I am trying to setup SSLVPN login with these two LDAP groups SMS and VPN. How ever I am unable to fetch the group data correctly.
OpenLDAP config part:
config user ldap
edit "OpenLDAP" set server "192.168.0.65" set cnid "uid" set dn "ou=department,dc=acme,dc=local" set type regular set username "uid=admin,dc=openldap,dc=lab" set password ENC YCb6XWMMo... set group-member-check posix-group-object set secure ldaps set port 636 next
User groups config part:
config user group
edit "SMS group users" set member "OpenLDAP" config match edit 1 set server-name "OpenLDAP" set group-name "cn=SMS,ou=groups,ou=department,dc=acme,dc=local" next end
edit "VPN group users" set member "OpenLDAP" config match edit 1 set server-name "OpenLDAP" set group-name "cn=VPN,ou=groups,ou=department,dc=acme,dc=local" next end
I have been playing with the OpenLDAP config and I have tried with "set group-member-check posix-group-object" and without it as well as with "set member-attr memberUid". I have been trying and trying without any success.
Any ideas how to solve the problem and make Fortigate to be able to read the group data correctly? Thank you in advance!
Running on version 6.0.5.
Hi.
Reply comes delay, but hope this help people further.
Fnbamd helped me to figure out why the authentication failed:
diagnose debug enable
diagnose debug application fnbamd 255
Solution for openldap is use:
conf user ldap
edit <entity>
group-filter : (&(objectclass=posixgroup)(memberuid:=%u))
I found later old post with same configuration parameters for openldap:
You should also modify memberuid value in posix group in ldap. Don't use the username alone. Modification:
uid=<username>,ou=users,dc=<domain>,dc=<domain>
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.