Hello,
we are running on FortiOS 5.6.3.
I try to use nested LDAP Groups for Authentication.
Users Accounts are member of the LDAP Group: "GL_SSLVPN"
Global Group is member of "L_SSLVPN" Group
The "L_SSLVPN" Group should be authenticated in Fortigate.
As discribes here:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37091
the follwing Settings should be made:
config user ldap edit "example.local" set group-member-check user-attr set search-type nested next end
But the "set search-type nested" value is not available in FortiOS 5.6.
Any idea how to implement nested LDAP Groups now, or isn't this possible anymore?
Regards
Thomas
Solved! Go to Solution.
Hi,
FOS 5.6 has replaced 'search-type nested' with more flexible group filter.
Use something like below in LDAP config:
set group-filter "(|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))"
Works for me on 5.6.4 build 1575, and should work for you as well.
EDIT-2018-09-04: summarized that in KB http://kb.fortinet.com/kb...amp;externalId=FD41657
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi,
FOS 5.6 has replaced 'search-type nested' with more flexible group filter.
Use something like below in LDAP config:
set group-filter "(|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))"
Works for me on 5.6.4 build 1575, and should work for you as well.
EDIT-2018-09-04: summarized that in KB http://kb.fortinet.com/kb...amp;externalId=FD41657
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
In 5.6, nested group search option has been replaced with a group filter string. To support the retrieval of nested group information of primary group, add a "%pg" token in group filter along with "%u". So in order to get the full list of groups a user belong to please try the following filter:
config user ldap
edit "AD-LDAP"
set server ...
set cnid "cn"
set dn ...
set type regular
set username ...
set password ...
set group-filter "(|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))"
next
end
just to complete that, got nested LDAP change thing summarized in KB article
http://kb.fortinet.com/kb...amp;externalId=FD41657
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
I have the problem in 6.0.5
The command group-filter that you use and appears in the Technical note (https://kb.fortinet.com/kb/viewContent.do?externalId=FD41657&sliceId=1) it's not longer available in my CLI....
I try to use group-objec-filter command but no luck..
any idea?
Solved.
this unit it's managed via FortiManager.
By default in Fortimanager the LDAP configuration has group-object-filter configured, since this last is there, the group-filter will not be available anymore under CLI.
We have deleted the group-object-filter from Fortimanager settings, and add the filter to the group-filter
After these changes the group-filter is working and nested group functioned as expected
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.