to elaborate on the above statement from Markus:
- the ONLY way to involve OpenLDAP in an FSSO setup as described above is to force the group lookup to OpenLDAP
-> a user would trigger a login in AD, Collector Agent would detect this, and then trigger a lookup to the configured LDAP server
-> the problem is that Collector Agent at least assumes the LDAP server to be an AD server, and there aren't really any options that can be configured aside from base DN:
This means Collector Agent is going to be using AD LDAP syntax (looking for memberOf attribute, instead of member, for example).
If OpenLDAP can handle this, and reply accordingly with group information, then Collector Agent can fetch group information from OpenLDAP while the actual login comes from AD, and forward that (AD user+OpenLDAP group) to FortiGate.
However, FSSO is very deeply integrated with Active Directory (and the corresponding LDAP syntax), so I'm not confident this would work.
On the FortiGate itself, the group lookup is always part of the authentication, and can't be split off into a separate query to a different LDAP server.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++