- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FreeIPA with FSSO
Hello
Has anyone tried integrate FreeIPA with FSSO, like by sending syslog from the LDAP to FSSO agent or FortiAuthenticator, or any other method?
- Labels:
-
FortiAuthenticator
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Syslog can potentially work fully indepedently (taking both username and group from the message), or do membership lookup via relatively configurable LDAP lookups (collector Agent has separate LDAP config for Syslog), so I would expect both to work with Syslog.
Just keep in mind that there will be no dynamic IP change detection or logout detection. This will fully rely on the Syslog source sending these updates too.
Another possibility could be translating RADIUS accounting messages into FSSO. Same workflow as with Syslog: Receive > process (optionally LDAP group lookup) > generate FSSO session.
Other MS AD-integrated methods are not expected to work at all. (event log scraping, DC Agents, FSSOMA).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Minarik
Any document describing the procedure?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try this doc to get an idea of how to configure it: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Fortinet-Single-Sign-On-FSSO-for...
The core is getting a sample of the Syslog messages and setting up the parsing rules for them. Then you need to decide if you can use the message itself for learning user groups, or whether to use LDAP for group lookups (in which case you will need to configure the LDAP portion, which is done similarly as with FortiGate/FAC being configured as LDAP clients - need to know how your LDAP tracks group membership, and then set the filters/objectClasses for it in the config).
There is a test-field in Collector/FAC so you can paste in the Syslog message and directly test if the filters match and extract the values correctly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again Minarik, I appreciate your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is also this: https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/492458/fsso-using-syslog-as-...
While it is located in FGT 7.6.0 documentation, it does apply to any FSSO Collector Agent newer than version 5.0.0291.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Debbie. I'll try do the same for my FreeIPA.