Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AliE
New Contributor II

Problem import user LDAP UNIX (OpenLDAP) FortiAuthenticator

 

Hi all,
We have an LDAP UNIX server and we want to connect FAC to the LDAP. We could see all of users but we can't import users (Remote Users => Import). When we try to import users, a message error appair : Unable to import "uid=****,ou=users,ou=**,dc=**,dc=***": entry does not match the configured filter".

2022-04-21_17h09_57.png

Any help would be appreciated.
Thanks,

Ali

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello AliE,

 

I have found this document:

 

https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-Unable-to-import-remote-LDA...

 

 Could you please have a look and tell me if it helped?

If not, we will continue to look for another solution.

 

Regards,

Anthony-Fortinet Community Team.
Debbie_FTNT
Staff
Staff

Hey Ali,

maybe a stupid question - if you don't set a filter for 'ObjectClass=person', can you import the user, or does that also result in an error?

In addition, it may be worth checking in your remote LDAP server settings on FortiAuthenitcator that you have the correct mapping for username attribute etc.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
xsilver_FTNT
Staff
Staff

Hi,

as "entry does not match the configured filter" and as it is supposed to be OpenLDAP.

Then I would check and make sure that proper template is used in your FortiAuthenticator in LDAP server config. And more importantly that this fit to your OpenLDAP and schemas it uses. Use some LDAP browser (MSFT Windows do have one built in ldp.exe but it's ugly and not user friendly, honestly) to check what are your users and their properties.

 

Example from my test OpenLDAP:

 

xsilver_FTNT_1-1651042929944.png

 

 

Because your set LDAP filter is:  (objectClass=person)

Check your OpenLDAP and properties of so called user objects.

Check and make sure that they are objectClass = person.

Because some of mine are for example  "objectClass = inetOrgPerson; posixAccount" , not a "person" !

 

That filter might came from default setting in FortiAuthenticator and from applied OpenLDAP template in LDAP Remote Auth. Server config .. its default looks like this:

 

xsilver_FTNT_0-1651042664450.png

 

Feel free to tweak those settings according to your OpenLDAP server.

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

FTNT-UFO

I have hit a similar issue, have created a new thread here, if someone can help. https://community.fortinet.com/t5/Support-Forum/Not-able-to-import-Open-LDAP-user-to-FortiAuthentica...

 

Labels
Top Kudoed Authors