I'm hoping I'm missing something simple that someone will be able to help me with.
I'm trying to point a Fortigate running v5.4.3, build 1111 (GA) at our LDAP server and use a group from the LDAP server in a Fortinet group. Especially because that seems to be the only way to have an LDAP use be granted Global Admin access also. The problem I'm running into is that we do not use MS-AD. Our LDAP is 389DS aka RedHat Directory Server which is very similar to generic OpenLDAP. I can authenticate users from our LDAP by creating individual "Remote LDAP Users" on the Fortigate and then add those users to a Fortigate Group. That still does not work for Global Admin tho.
The documentation and examples for anything other than AD is very sparse, but there are references to non-AD LDAP groups in the CLI guide and if you use the ? at the CLI. The CLI guide does not however go into any details about the additional options. Does anyone have a working example without using the dynamic user attribute memberOf? I don't care if I use posix style groups or a groupOfNames at this point.
I have found some old documentation like this that actually shows specifying a group requirement "set group" when defining the LDAP server, but that option no longer seems to exist and seems to have been replaced by specifying a remote LDAP server and group inside of a Fortinet group. http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=13141 I've also noticed that even tho the GUI has an option for Anonymous LDAP binds (and that works for other applications I have), the anonymouse bind option seems to be broken and I have to do an authenticated bind and search. Maybe the LDAP code got revised and changed for v5.x and non AD LDAP not really tested? Watching the debug on the Fortigate and even doing a packet capture of the traffic from the Fortigate to the LDAP server, it does not seem to even be using the settings I have set and just doing its LDAP queries assuming an AD LDAP.
Here is my current LDAP config.
config user ldap edit "KanREN-LDAP" set server "<redacted>.kanren.net" set secondary-server "<redacted>.kanren.net" set tertiary-server "<redacted>.kanren.net" set cnid "uid" set dn "dc=kanren,dc=net" set type regular set username "cn=<redacted>,ou=<redacted>,dc=kanren,dc=net" set password <redacted> set group-member-check posix-group-object set group-object-filter "(&(objectclass=posixgroup)(memberuid=*))" set group-object-search-base "ou=Groups,dc=kanren,dc=net" set secure starttls set member-attr "memberUid" next end
config user group edit "LDAP-netadm" set member "KanREN-LDAP" config match edit 1 set server-name "KanREN-LDAP" set group-name "cn=netadm,ou=Groups,dc=kanren,dc=net" next end next end
Hi!, did you fix this issue?, I have an OpenLDAP on a Centos... and I have a similar issue. Best regards
I never did get it working. Since we already have a radius infrastructure in place for our staff, I just fell back to that for the admin access. (But was still using LDAP for some non-privileged user things.) I've not really had the time to try again especially since we upgraded to 5.6.
Sorry for the delayed reply and that I couldn't be of much help. Please let me know if you find anything new.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1749 | |
1114 | |
765 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.