Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yesolo
New Contributor II

Created on ‎10-12-2023 01:43 AM

Fortigate change username mapping from AD

When create users from LDAP server (in my case, Microsoft AD server), the ID (username on Fortigate) of created user is actually "display name" of this user in AD. The request is to change the username on Fortigate from this display name to "sAMAccountName" or "userPrincipalName". Is it possible? And how?

 

 

836
0 Kudos
1 Solution
bpozdena_FTNT
Staff
Staff

Created on ‎10-12-2023 02:48 AM

Yes, it's possible to change. By default LDAP users will be imported based on their 'CN' attribute, which is usually the same as 'DisplayName'.

 

You will need to change the CNID value under your LDAP profile to change the behavior.

 

For instance, if you want your users to be imported with usernames based on the 'userPrincipalName' attribute, use the bellow configuration:

config user ldap
    edit "YOUR-LDAP-PROFILE-NAME"
        set cnid "userPrincipalName"
    next
end

 

If you want the imported usernames be based on the 'sAMAccountName', simply change the settings as bellow:

config user ldap
    edit "YOUR-LDAP-PROFILE-NAME"
        set cnid "sAMAccountName"
    next
end

 

Just note that after you change the value, you will need to delete and re-import all users again.

HTH,
Boris

View solution in original post

803
5 REPLIES 5
Yesolo
New Contributor II

Created on ‎10-12-2023 01:56 AM

Snapshot:7848310.png

828
0 Kudos
Durga_Ashwath
Staff
Staff

Created on ‎10-12-2023 02:18 AM

Hi Team,

Pleased o follow the below document:
https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/795593/use-active-directory-...

Regards,
Durga A

811
Yesolo
New Contributor II
In response to Durga_Ashwath

Created on ‎10-12-2023 06:18 PM

Hi, thanks for the reply, but we don't have a FSSO Collector Agent now, we will try this later if other solutions don't work.

779
0 Kudos
bpozdena_FTNT
Staff
Staff

Created on ‎10-12-2023 02:48 AM

Yes, it's possible to change. By default LDAP users will be imported based on their 'CN' attribute, which is usually the same as 'DisplayName'.

 

You will need to change the CNID value under your LDAP profile to change the behavior.

 

For instance, if you want your users to be imported with usernames based on the 'userPrincipalName' attribute, use the bellow configuration:

config user ldap
    edit "YOUR-LDAP-PROFILE-NAME"
        set cnid "userPrincipalName"
    next
end

 

If you want the imported usernames be based on the 'sAMAccountName', simply change the settings as bellow:

config user ldap
    edit "YOUR-LDAP-PROFILE-NAME"
        set cnid "sAMAccountName"
    next
end

 

Just note that after you change the value, you will need to delete and re-import all users again.

HTH,
Boris
804
Yesolo
New Contributor II
In response to bpozdena_FTNT

Created on ‎10-12-2023 06:24 PM

Hi, it works, thank you very much!

777
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.