Hi there,
A colleague decided that structuring Active Directory Groups was his contribution to life's richness.
On some users, when recursion is enabled, I get a list of 100's of groups.
My question is... could this cause issues with the FSSO fabric connector? I'm getting some inconsistency with authentication which seems to go away without recursion.
Any thoughts?
Cheers
Jon
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Jon,
thanks for "his contribution to life's richness" , it made my day, still smiling a bit.
Yes, too many groups might bring you troubles with authd/fssod (FSSO).
Therefore I would strongly suggest to use Group Filters for every FSSO setup, and not just for situations where someone's colleague got over-creative with group amounts or naming.
As this way your FortiGate (FGT hereinafter) will get a list of just user groups truly and intentionally used in FSSO and firewall policies.
Not just everything and even system groups like "CN=FAC OPERATORS" :D
If you set your FGT and FSSO connector with LDAP, then choose just groups you are interested in, and your Collector is standalone one, then during connection to this Collector FGT will push group filter, specific for this FGT, to Collector's Group Filter. And you might be fine.
It might be desirable to set FSSO connector without LDAP on FGT, and so Group Filter (either specific one for this particular FGT, or Global one) will govern which groups will be pulled from Collector to FGT.
Either way gathered/set, those will appear in CLI as records under 'config user adgrp'.
And then could be used in firewall user groups for later use in firewall policies.
With FortiAuthenticator (FAC hereinafter) as Collector Agent, there is a difference that groups are always pulled from FAC to FGT. So having LDAP in FSSO connector towards FAC is useless.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.