Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FTNT-UFO
New Contributor

Created on ‎08-28-2023 05:32 PM Edited on ‎08-28-2023 05:40 PM

Not able to import Open LDAP user to FortiAuthenticator

I may have hours of experience on both FAC and Open-LDAP, and I am trying to make the LDAP import user part working for me.  So far, I have already setup an Open-LDAP on 10.106.6.160, and is trying to see if I could import these users to my FAC.  

 

1). Here is my LDAP edit page, where I always have to input values on these "query elements" fields on that page, which are not optional part.

LDAP.png

2) When I have the previous page saved, and click the "import users" button, and have reached the "Import Remote LDAP Users" page. Without any extra editing, I was able to see 5 created LDAP user account here. But while I was to have them imported to FAC, I have got such failure: 

Unable to import " uid=testGeeks1,out=people,dc=pluto,dc=fortinet,dc=com": entry does not match the configured filter. "  

 

LDAP_USER.png

Any  ideas what I did wrong here ?  Thanks, 

 

Jack 

Labels:
2306
0 Kudos
14 REPLIES 14
FTNT-UFO
New Contributor
In response to dbu

Created on ‎09-06-2023 05:54 PM

When I was trying to do the import by the group option, it was executed w/o any issues, but nothing was imported either.  

 

716
0 Kudos
dbu
Staff
Staff
In response to FTNT-UFO

Created on ‎09-07-2023 02:58 AM Edited on ‎09-07-2023 03:00 AM

Can you please show me the logs regarding this activity from : 

Logging > Log Access > Logs 

We should have some info there for this import for example :

logsldap.PNG

 

Please click each log entry so we can see the message displayed for each of them. 

 

Alternatively, you can download a report summary and i can check it for you :

repsummary.PNG

 

 

Regards!

 

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
704
0 Kudos
FTNT-UFO
New Contributor
In response to dbu

Created on ‎09-07-2023 12:21 PM

Thanks for the help.  I am providing the details here step by step. 

A) here is my LDAP SVR setting page, as you may see, I have selected "Group attribute" here. 

 

LDAP_SVR.png

B) here is the importing page, where I have clicked the "ou=people" checkbox. 

LDAP_GP_IMPORTING.png

C) when the importing is done, here is the message in the log page: 

LDAP_LOG2.png

 

By reading the msg in this log, it seems to me, even I had selected "import users by group membership" option, the actual importing schema is the same as for "import users" ? 

 

What is the business logic of ""import users by group membership". I thought it is for importing users that is associated group(s)  

 

Thanks, 

 

Jack 

 

 

 

 

 

694
0 Kudos
dbu
Staff
Staff
In response to FTNT-UFO

Created on ‎09-07-2023 03:21 PM

Hello Jack, 

Thank you for your update.

 

a)I believe option "Group attribute" under query elements is how do you want obtain the group membership for a user.

 

b)User attributes here means what user attributes from remote LDAP should we populate when importing the users. 

 

c)The importing schema is the same . In both cases we are importing users.

The only difference is how we query the remote LDAP.

In case by group membership there are two filters used and the Member attribute 

 

-Regarding your  import
From the logs i see only the query is done but not the actual import . Unless you already imported them  before .

sfdhhfgh.PNG

 


When import is done message is something like :
Added remote LDAP user......or Imported remote user.....

jack.PNG

 

 

Regards!

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
688
0 Kudos
FTNT-UFO
New Contributor
In response to dbu

Created on ‎09-07-2023 05:41 PM

OK, I kind of understand what is going on here from the log message.

 

In either "import users" or "import users by group membership" scneario, it tries to load the users first, and if there were actual users, then to have them imported. 

 

Now if you are looking at the 2nd picture in my previous posting, when I click "ou=people" check-box, there is no sub-tree pop-up,  which means 0 user needs to be imported here.  And that is why we are getting only "loading ... " log, but not "imported ..." log. 

So I guess my question is why there is 0 user listed here ? 

 

Thanks, 

 

Jack

 

 

 

 

673
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.