hard to guess without seeing actual OpenLDAP objects.
Plus your fist screenshot shows 4 records but by "ou=" I just guess that those might not be actually group (objectClass=posixGroup), or user (objectClass=posixAccount), types of objects but OU (Organizational Units).
Which by plus sign alongside of them might/might-not contain some actual users.
However my suggestion is to pay attention to how OpenLDAP object properties looks like and what is FortiAuthenticator config counterpart.
Remote Auth.Servers / LDAP - which is definition of your OpenLDAP used later in Sync
- to "User object class:" .. does default "person" fit to your OpenLDAP and isn't there objectClass in users as posixAccount ?
- similarly to what is "Group object class:" .. is posixGroup matching your OpenLDAP group definitions?
- next and important one, where to "Obtain group memberships from:" .. from under user definition so as on AD each user has its own MemberOf list, or from group definition where is a list of members inside a group. And finally, does that attribute like "member" or "memberUid" actually exist on OpenLDAP?
Because I can create child object as posixAccount under the posixGroup which can have no member nor memberUid ! But my phpLDAPadmin let's me create accounts and ssign them to group which then springs memberUid as property of that group. And that memberUid then contains UserName-s of actual users/members.
User Management / Remote User Sync Rules
- obviously check BaseDN but yours looks like pointing to root of LDAP tree
- LDAP filter .. seems to point to OU=DT probably due to some objects with gidNumber=2205 on your second screenshot. That one also suggest that filter matches just two users! Not many. If you do expect other users being there, then do they have gidNumber=2205 ?
Probably not. But your filter requires both .. objectClass-posixAccount AND gidNumber=2205.
Not sure how yours but my users do have single gidNumber as their primary group, while being members of multiple groups, and those groups do have their own gidNumber-s, but list of members is in my openLDAP under group as list of memberUid values.
One another caveat of Remote User Sync Rules (RUSR) .. you might have everything OK, but some users were already synced and are already in "User Management / Remote Users" and so they will be updated by RUSR if needed, but if they are the same then they are not going to be re-synced and shown in log. So only differences are synced and logged!
As sync went OK according to your log, then that might be your case.
Tom xSilver, planet Earth, over and out!