Not able to import Open LDAP user to FortiAuthenticator

FTNT-UFO · ‎08-28-2023

I may have hours of experience on both FAC and Open-LDAP, and I am trying to make the LDAP import user part working for me. So far, I have already setup an Open-LDAP on 10.106.6.160, and is trying to see if I could import these users to my FAC.

1). Here is my LDAP edit page, where I always have to input values on these "query elements" fields on that page, which are not optional part.

2) When I have the previous page saved, and click the "import users" button, and have reached the "Import Remote LDAP Users" page. Without any extra editing, I was able to see 5 created LDAP user account here. But while I was to have them imported to FAC, I have got such failure:

Unable to import " uid=testGeeks1,out=people,dc=pluto,dc=fortinet,dc=com": entry does not match the configured filter. "

Any ideas what I did wrong here ? Thanks,

Jack

FTNT-UFO · ‎09-06-2023

When I was trying to do the import by the group option, it was executed w/o any issues, but nothing was imported either.

dbu · ‎09-07-2023

Can you please show me the logs regarding this activity from :

Logging > Log Access > Logs

We should have some info there for this import for example :

Please click each log entry so we can see the message displayed for each of them.

Alternatively, you can download a report summary and i can check it for you :

Regards!

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

FTNT-UFO · ‎09-07-2023

Thanks for the help. I am providing the details here step by step.

A) here is my LDAP SVR setting page, as you may see, I have selected "Group attribute" here.

B) here is the importing page, where I have clicked the "ou=people" checkbox.

C) when the importing is done, here is the message in the log page:

By reading the msg in this log, it seems to me, even I had selected "import users by group membership" option, the actual importing schema is the same as for "import users" ?

What is the business logic of ""import users by group membership". I thought it is for importing users that is associated group(s)

Thanks,

Jack

dbu · ‎09-07-2023

Hello Jack,

Thank you for your update.

a)I believe option "Group attribute" under query elements is how do you want obtain the group membership for a user.

b)User attributes here means what user attributes from remote LDAP should we populate when importing the users.

c)The importing schema is the same . In both cases we are importing users.

The only difference is how we query the remote LDAP.

In case by group membership there are two filters used and the Member attribute

-Regarding your import
From the logs i see only the query is done but not the actual import . Unless you already imported them before .

When import is done message is something like :
Added remote LDAP user......or Imported remote user.....

Regards!

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

FTNT-UFO · ‎09-07-2023

OK, I kind of understand what is going on here from the log message.

In either "import users" or "import users by group membership" scneario, it tries to load the users first, and if there were actual users, then to have them imported.

Now if you are looking at the 2nd picture in my previous posting, when I click "ou=people" check-box, there is no sub-tree pop-up, which means 0 user needs to be imported here. And that is why we are getting only "loading ... " log, but not "imported ..." log.

So I guess my question is why there is 0 user listed here ?

Thanks,

Jack