LDAP access with sAMAccountName

FortiRack_Eric · ‎10-03-2007

Hello all, Has anyone any luck and/or succeeded in using the sAMAccountName to login? I' ve succeeded using the UPNâ€™ (Universal Principal Name) OR â€˜Display Nameâ€™ but the client wants to login using sAMAccountName. Thanks, Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

Report Inappropriate Content · ‎12-04-2007

hi, a bit late, but maybe this still helps. I' m running 3.0MR5p2 (568) and have successfully configured that. I can login (IPSEC with XAUTH to MS-AD via LDAP in my case) with samaccountname. Although it was a bit tricky because of the unclear documentation. Additionally in my config group membership is checked. In short: You have to configure the cnid (cn) variable as samaccountname. in the cli:

 config user ldap
 edit ad_ldap
 set server " dc.mydomain.at" 
 set dn " DC=mydomain,DC=at" 
 set cnid samaccountname
 set dn " DC=mydomain,DC=at" 
 set type regular
 set username " CN=ldapsearch,OU=toolbox,DC=mydomain,DC=at" 
 set password xxx
 set group " CN=ipsecdialup,OU=toolbox,DC=mydomain,DC=at" 
 set filter (&(objectcategory=group)(objectclass=group)(member=*))
 next
 end

you have to provide a user (his dn) to search the ldap tree (ldapsearch here) and the search base (dn var). debug helped me a lot.

 diagnose debug application fnbamd â€“1
 diagnose debug enable

regards

os · ‎12-28-2007

hello, Many thanks for the info :) I have also setup IPSEC with XAuth as above and it is working, ... however on some occasions the authentication doesn' t succeed 1st time. I know the username and password is entered correctly because this has been saved, so the same credentials are used each time. I am using the FortiClient software to dial-in remotely. I have also got this working with SSL VPNs and notice a similar issue. Has anybody else experienced similar issues? Kind Regards.

os · ‎12-31-2007

Does anybody else experience a failed login attempt occasionally when using ssl vpn / ipsec (forticlient) when the XAuth is forwarded to an external LDAP server (e.g. Active Directory) ... even when the login credentials are entered correctly? I am testing with a Fortigate 60. Do you think this might be an issue with the hardware of the firewall? Kind Regards.

os · ‎01-01-2008

I think I have found the reason. I was running Windows 2003 Server in a Virtual Machine. I have now installed this on it' s own dedicated box and am not seeing this issue any more :) Hope that may be useful for anybody else seeing similar issues in their testing. Regards.

Carsten_Buchenau · ‎01-07-2008

Just an add-on to wozu' s explanation (Thanks!): It looks like the AD Server requires authentication (set type regular, username & password) if you query other LDAP attributes than CN - so for cnid=samaccountname, you HAVE to authenticate to the AD Server! Cheers, carsten

Carsten Buchenau EDIFICE COMMUNICATIONS SA Lausanne, Switzerland

fcb · ‎02-05-2008

This is one fantastic thread!!!!!! Worked like a charm and saved me a ton of time.

Report Inappropriate Content · ‎02-08-2008

set filter (&(objectcategory=group)(objectclass=group)(member=*))

Great information though I still cannot get authentication with Active Directory groups to work. I have created a new OU with two new groups with test accounts with the configuration from this thread. No luck. The debug looks like this: fnbamd_ldap.c[612] fnbamd_ldap_get_result-Going to SEARCH state fnbamd_fsm.c[933] poll_auth-Continue pending for req 10 fnbamd_ldap.c[183] get_all_dn-Found no DN fnbamd_ldap.c[202] start_next_dn_bind-No more DN left fnbamd_ldap.c[555] fnbamd_ldap_get_result-No more DN fnbamd_ldap.c[686] fnbamd_ldap_get_result-Going to DONE state res=1 fnbamd_auth.c[961] fnbamd_auth_poll-Result for ldap svr x.x.x.x is denied fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 10 authenticate ' groupatest' against ' SSLGroupA' failed! I successfully authenticate with LDAP against an OU without groups, but I need to be able to use group membership for different users. What I am missing? Thanks!

Report Inappropriate Content · ‎02-11-2008

fnbamd_ldap.c[183] get_all_dn-Found no DN fnbamd_ldap.c[202] start_next_dn_bind-No more DN left fnbamd_ldap.c[555] fnbamd_ldap_get_result-No more DN

Seems like you did not define the base to start the search from, i.e. the root of your LDAP Directory, " DC=domain,DC=com" ? You need that for searching through the tree... regards

CfSi_Dan · ‎04-06-2008

Followed the directions as outlined in this thread. (Thanks for those!) Here is what I got from the diag command. fnbamd_fsm.c[934] handle_req-Rcvd 7 req fnbamd_acct.c[274] fnbamd_acct_start_STOP-Invalid params fnbamd_fsm.c[443] create_acct_session-Error start acct type 7 fnbamd_fsm.c[939] handle_req-Error creating acct session 7 Here' s what the config looks like for me. show config user ldap edit " xxxxx.com" set server " 192.168.xxx.xxx" set cnid " samaccountname" set dn " DC=xxxxx,DC=xxxxx" set type regular set username " CN=ldap,CN=Users,DC=xxxxx,DC=xxxx" set password ENC 9yLWW7OgSLo19Y+NBvb3saYDNQauMQKkQgJtgjnQnexYE0I7xAyXEf9AAWvHYw7Va654BUFIjfRi3MP82cgaldQZz8nXal7O1hBPDHY1F9ZOzrTn set group " cn=ldap_query,CN=Users,DC=xxxxx,DC=xxxxxx" set filter " (&(objectcategory=group)(objectclass=group)(member=*))" next end Any ideas on what I' m missing. Thanks for your help in advance.

Fortigate 200D HA A/P Cluster FAZ VM