LDAP Query

Piotras · ‎10-09-2014

I have configured authentication for FSSO and i want create the report in FortiAnalyzer where user belongs to a particular group or organizational unit. Theoretically, i may use an LDAP Query, however, it is nowhere described as the benefit from this. Does anyone know how this works? FortiGate 5.2 FortiAnalyzer 5.2 FSSO 4.3.0156 - AD access mode: standard Regards

hzhao_FTNT · ‎02-06-2015

LDAP works OK on FAZ5.2.1 and 5.0.10.

hz

View solution in original post

hzhao_FTNT · ‎01-12-2018

Yes, we verified it OK on 5.6.1 release.

View solution in original post

xinger · ‎02-10-2015

hzhao_FTNT wrote:
could you try: Group equal to "ABC-XY-Information Technology"
By design, when there is a space, we have to use double quotation in filter.

I hadn't thought to do that, so I've tried it now. However I'm unable to type double quotation within that field. I can type all other "special characters", but not the double quotation mark. I can't even paste a double quotation into the field. Weird. I've tried with both Chrome and IE11.

hzhao_FTNT · ‎02-10-2015

You are right, I can not input double quotation either. I will check with dev team to see if it is a bug or new design.

Thanks,

hz

hzhao_FTNT · ‎02-10-2015

Confirmed from GUI team. It is a new feature that we do not allow user to input double quotation. When user input space, double quotation will be added automatically. We do have issue for query group name contains space, it will return (false) in back end. I will open a bug for it.

Thanks,

hz

LVARELA · ‎01-12-2018

I want to create a FortiAnalyzer report where user belongs to a particular group or organizational unit.

LDAP Query option in report filter is still working for this purpose in 5.6.1 ?

hzhao_FTNT · ‎01-12-2018

Yes, we verified it OK on 5.6.1 release.

LVARELA · ‎01-15-2018

Thanks.

There's a step by step guide to get it working?

I tried using GUI and CLI as mentioned in this thread but filter don't work.

I can't filter reports based on LDAP OU.

hzhao_FTNT · ‎01-15-2018

Hi there, if you followed steps in above threads but ldap filter still doesn't work, please open a support ticket in FortiCare.

Regards,

hz

AtiT · ‎05-04-2018

Hello,

I have a request from the customer to search for the users in LDAP and create a report according to the group membership which is exatly what is described above.

My problem is that we have KERBEROS authentication when the username in the logs looks like this: username@DOMAIN.COM

Probably that is the problem as the LDAP query returns the results such as: CN=user,OU=test,DC=domain,DC=com

The CN is returned as a result but not the UPN (userPrincipalName) - the UPN should help maybe?

Is there a solution to get it work with KERBEROS authenticated users?

AtiT

hzhao_FTNT · ‎05-04-2018

Hi AtiT,

I don't have environment for LDAP with KERBEROS, maybe you can modify your ldap server setting on FAZ with UPN and give it a try:

config sys admin ldap

ed <ldap-server>

set cnid userPrincipalName

set attributes member,userPrincipalName

end

AtiT · ‎05-05-2018

Thank you for your reply, unfortunatelly it does not work.

AtiT