Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Agent_1994
Contributor

Nested LDAP group members not included in a report.

A customer have the following setup (simplified, of course!):

 

Group "A" members:

User1

User2

User3

Group B

Group C

 

Group "B" members:

User4

User5

 

Group "C" members:

User 6

 

Then, in the filter section of the report:

 

Log Field->Group (group)->Equal To: Group A

LDAP Query: checked.

 

But i see only User1, User2 and User3 in the report. It seems that nested group members are not being included. I checked the manual and couldn't find anything like "we do support nested groups" nor "we don't support nested groups". 

 

PS: For the time being, i've worked around this by adding Group B and Group C to the filter values and verified that all users are included.

3 REPLIES 3
hzhao_FTNT
Staff
Staff

Hi there, what kind of ldap server is customer using? How about the internal attributes? Did you set attributes under CLI according to customer's ldap server setting?

 

FAZ1000D # config system admin ldap

(ldap)# ed ldap1

(ldap1)# set attributes filter used for group searching. Here are some examples: (for multi-attributes, use comma (,) as separator) member uniquemember member,uniquemember

 

 

 

Agent_1994

Thanks for the reply hzhao!

 

The LDAP server is an Active Directory DC, i used a LDAP Browser and i can see everything, about the atrributes:

 

set attributes "member,uniquemember"

 I dug something more. I went to "Group A" (with an LDAP Browser) and saw that "Group B" and "Group C" are included in "Group A"'s member attribute.

 

 Then i went to "Group B", saw a couple of users included with "member" and i saw a "memberof" attribute that point's to "Group A". I tried that with several sub-groups at random and i confirmed that member and memberof (depending your point of view) are correct.

 

 I don't know anything about FAZ internals, but i can imagine that when i run the report filtering by members of "Group A", it will query the members attritbute of that group and that it should query members of sub(nested) groups.

 

 If i see it from a programmer's point of view: nothing in the "members" attribute on "Group A" says that it's a group or a regular user, it would have to query the objectClass attribute to see that. If objectClass is a group, it will have to be treated like that and query it's members. 

 

 Greets,

 

 

Agent_1994
Contributor

Update, FWIW: I have confirmation that nested groups aren't supported *yet*.

 

Labels
Top Kudoed Authors