Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jond
New Contributor III

LDAP, recursion, AD Groups and buffers? (AD Fabric Connector)

Hi there,

 

A colleague decided that structuring Active Directory Groups was his contribution to life's richness.

 

On some users, when recursion is enabled, I get a list of 100's of groups.

 

My question is... could this cause issues with the FSSO fabric connector?  I'm getting some inconsistency with authentication which seems to go away without recursion.

 

Any thoughts?

 

Cheers

Jon

 

1 REPLY 1
xsilver_FTNT
Staff
Staff

Hi Jon,

thanks for "his contribution to life's richness" , it made my day, still smiling a bit.

 

Yes, too many groups might bring you troubles with authd/fssod (FSSO).

 

Therefore I would strongly suggest to use Group Filters for every FSSO setup, and not just for situations where someone's colleague got over-creative with group amounts or naming.

As this way your FortiGate (FGT hereinafter) will get a list of just user groups truly and intentionally used in FSSO and firewall policies.

Not just everything and even system groups like "CN=FAC OPERATORS" :D

 

If you set your FGT and FSSO connector with LDAP, then choose just groups you are interested in, and your Collector is standalone one, then during connection to this Collector FGT will push group filter, specific for this FGT, to Collector's Group Filter. And you might be fine.

It might be desirable to set FSSO connector without LDAP on FGT, and so Group Filter (either specific one for this particular FGT, or Global one) will govern which groups will be pulled from Collector to FGT.

Either way gathered/set, those will appear in CLI as records under 'config user adgrp'.

And then could be used in firewall user groups for later use in firewall policies.

 

With FortiAuthenticator (FAC hereinafter) as Collector Agent, there is a difference that groups are always pulled from FAC to FGT. So having LDAP in FSSO connector towards FAC is useless.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors