Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cbabfat
New Contributor III

Remote LDAP Groups

I see that "Remote LDAP" groups can be created on the FortiAuthenticator.  Is it possible to import or use LDAP (Active Directory) groups in any way with the FortiAuthenticator?

 

It seems like everything to do with LDAP can only be "managed" by the individual "name" and not a directory.

 

This also applies to the FortiAuthenticator client.  We are implementing the client and I have to individually select EVERY single user that needs to be in bypass.  That is all the users to start while we roll out mobile tokens to everyone.

 

Thanks, Chris

1 Solution
andymemo

I found this post when trying to answer the same question. I have managed to do what I believe is being asked in this post and what I needed to do...

 

In my customers AD, they had 1 group which I wanted to retrieve all users from and populate onto a group on the FAC. This group will then be used for FortiToken mobile matching to AD username. 

 

For the 'Remote Auth Servers > LDAP' I used the default attributes and just entered the IP, base DN, username & password. On clicking the browse icon, I could browse AD.

 

Under 'User Management > Remote user sync rules' I created a new entry using the 'Remote LDAP' I had just created, and using a filter of '(memberof=CN=Group-Name,OU=OU1,DC=domain,DC=CO,DC=NZ)'. I created a new 'Group to associate users with' and chose OK with the default values for everything else... 

 

Lastly, I selected the new Remote user sync rule and clicked 'Manual sync'. This pulled only the AD users of the chosen AD group into the FAC.

 

FAC version = v3.00-build0180-20150428-patch00

 

View solution in original post

2 REPLIES 2
Carl_Windsor_FTNT

AD (LDAP) Groups are used widely within FAC.  Remote users can be imported using groups, see Remote User Sync Rules where you can specify an LDAP filter to select which user groups are imported.  AD Groups can be used in Remote Groups configuration also by specifying an LDAP filter.  They are also supported throughout the FSSO config.  Perhaps specify what you are trying to achieve here.

 

The FortiAuthenticator Agent for Microsoft Windows is a special case as it is separate to the Appliance itself and currently it only supports user exceptions however there is a Feature Request to allow Group based exceptions.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

andymemo

I found this post when trying to answer the same question. I have managed to do what I believe is being asked in this post and what I needed to do...

 

In my customers AD, they had 1 group which I wanted to retrieve all users from and populate onto a group on the FAC. This group will then be used for FortiToken mobile matching to AD username. 

 

For the 'Remote Auth Servers > LDAP' I used the default attributes and just entered the IP, base DN, username & password. On clicking the browse icon, I could browse AD.

 

Under 'User Management > Remote user sync rules' I created a new entry using the 'Remote LDAP' I had just created, and using a filter of '(memberof=CN=Group-Name,OU=OU1,DC=domain,DC=CO,DC=NZ)'. I created a new 'Group to associate users with' and chose OK with the default values for everything else... 

 

Lastly, I selected the new Remote user sync rule and clicked 'Manual sync'. This pulled only the AD users of the chosen AD group into the FAC.

 

FAC version = v3.00-build0180-20150428-patch00

 

Top Kudoed Authors