A customer have the following setup (simplified, of course!):
Group "A" members:
User1
User2
User3
Group B
Group C
Group "B" members:
User4
User5
Group "C" members:
User 6
Then, in the filter section of the report:
Log Field->Group (group)->Equal To: Group A
LDAP Query: checked.
But i see only User1, User2 and User3 in the report. It seems that nested group members are not being included. I checked the manual and couldn't find anything like "we do support nested groups" nor "we don't support nested groups".
PS: For the time being, i've worked around this by adding Group B and Group C to the filter values and verified that all users are included.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi there, what kind of ldap server is customer using? How about the internal attributes? Did you set attributes under CLI according to customer's ldap server setting?
FAZ1000D # config system admin ldap
(ldap)# ed ldap1
(ldap1)# set attributes filter used for group searching. Here are some examples: (for multi-attributes, use comma (,) as separator) member uniquemember member,uniquemember
Thanks for the reply hzhao!
The LDAP server is an Active Directory DC, i used a LDAP Browser and i can see everything, about the atrributes:
set attributes "member,uniquemember"
I dug something more. I went to "Group A" (with an LDAP Browser) and saw that "Group B" and "Group C" are included in "Group A"'s member attribute.
Then i went to "Group B", saw a couple of users included with "member" and i saw a "memberof" attribute that point's to "Group A". I tried that with several sub-groups at random and i confirmed that member and memberof (depending your point of view) are correct.
I don't know anything about FAZ internals, but i can imagine that when i run the report filtering by members of "Group A", it will query the members attritbute of that group and that it should query members of sub(nested) groups.
If i see it from a programmer's point of view: nothing in the "members" attribute on "Group A" says that it's a group or a regular user, it would have to query the objectClass attribute to see that. If objectClass is a group, it will have to be treated like that and query it's members.
Greets,
Update, FWIW: I have confirmation that nested groups aren't supported *yet*.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.