Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FTNT-UFO
New Contributor

Created on ‎08-28-2023 05:32 PM Edited on ‎08-28-2023 05:40 PM

Not able to import Open LDAP user to FortiAuthenticator

I may have hours of experience on both FAC and Open-LDAP, and I am trying to make the LDAP import user part working for me.  So far, I have already setup an Open-LDAP on 10.106.6.160, and is trying to see if I could import these users to my FAC.  

 

1). Here is my LDAP edit page, where I always have to input values on these "query elements" fields on that page, which are not optional part.

LDAP.png

2) When I have the previous page saved, and click the "import users" button, and have reached the "Import Remote LDAP Users" page. Without any extra editing, I was able to see 5 created LDAP user account here. But while I was to have them imported to FAC, I have got such failure: 

Unable to import " uid=testGeeks1,out=people,dc=pluto,dc=fortinet,dc=com": entry does not match the configured filter. "  

 

LDAP_USER.png

Any  ideas what I did wrong here ?  Thanks, 

 

Jack 

Labels:
2331
0 Kudos
14 REPLIES 14
dbu
Staff
Staff

Created on ‎08-28-2023 10:26 PM

Hello Jack, 

Thank you for reaching out. 

It looks like the attribute values configured on FortiAuthenticator and OpenLDAP do not match. 
Could you please change the value for ObjectClass from "person" to "posixAccount" and test again.

If it does not work please check you LDAP settings what is configured under ObjectClass for that user and try to match in FortiAuthenticator. 

Please check and let us know.

 

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1583
0 Kudos
FTNT-UFO
New Contributor
In response to dbu

Created on ‎08-29-2023 12:36 PM

Thanks for the response, I have done what you suggested on the first setup page, here is the screenshot from the 2nd import page. 

 

LDAP_USER2.png

As you may find, 

1) I have changed from "person" to "posixAccount" on the LDAP setup page, and this is used as the filter value on this import page. 

2) I am doing the single users import mode. 

3) When I select "testGeeks1", and try to have it imported, I have seen such error messages at the top of the page. 

 

Thanks, 

 

Jack 

 

1537
0 Kudos
dbu
Staff
Staff

Created on ‎08-29-2023 02:00 PM

Hello Jack, 

Thank you for your update.

Now i believe you should replace the Username attribute under the LDAP configuration. 

Can you please try add "uid" instead of "testGeeks" and share results. 

Regards!

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1530
0 Kudos
FTNT-UFO
New Contributor
In response to dbu

Created on ‎08-30-2023 10:21 AM

Thanks for the Tips.  I have tried  "import users" option, it did have the users imported from LDAP !  

LDAP_USER3.png

But my next question is, how to make the similar type of import, if I was to select  "import users by group memberships" option. ?  The above 3 users are of the same group.  When I was to select this option, nothing was imported in the end.

 

Thanks, 

 

Jack 

 

 

 

1509
0 Kudos
dbu
Staff
Staff

Created on ‎08-30-2023 11:19 PM

Hello Jack, 

 

You need to correct the filter when searching for the group membership. 
What is the filter shown when you try to import users from group membership ? 

Does this filter shows the users ? 

 

What was the filter when importing a single user ? 


Please try again importing with group membership and check on the logs, what it says for this import ?

Regards,
Dorel


Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1495
0 Kudos
FTNT-UFO
New Contributor
In response to dbu

Created on ‎09-05-2023 09:59 AM

This was the filter page when I use the "import users" option to have the users imported. 

LDAP_USER4.png

When I was to do "import users by group memberships", I have  chosen  the "Group attribute" button, instead of "User attribute" button on that page. 

 

 

 

 

1456
0 Kudos
dbu
Staff
Staff

Created on ‎09-05-2023 02:59 PM

I mean like here : 

 

queryelements1.PNG

 Now we see the filter used for this group membershipqueryelements2.PNG

 

If you still face an error remember to share the error here. 

Check what is configured for this user as object class on the remote server and match the config in FAC. Edit the filter properly. 

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1443
0 Kudos
FTNT-UFO
New Contributor
In response to dbu

Created on ‎09-05-2023 04:07 PM

This is the settings on my "Import Remote LDAP Users by Group Memberships" page: 

LDAP_USER5.png

1438
0 Kudos
dbu
Staff
Staff

Created on ‎09-05-2023 10:00 PM

I see that filter is working and showing the entries. Now if you  select  "ou=people " and try to import does it fail ? 

If Yes show the error. 

Try also to change the value from "posixGroup" to "InetOrgPerson" . 

Let me know.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1406
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.