I see that "Remote LDAP" groups can be created on the FortiAuthenticator. Is it possible to import or use LDAP (Active Directory) groups in any way with the FortiAuthenticator?
It seems like everything to do with LDAP can only be "managed" by the individual "name" and not a directory.
This also applies to the FortiAuthenticator client. We are implementing the client and I have to individually select EVERY single user that needs to be in bypass. That is all the users to start while we roll out mobile tokens to everyone.
Thanks, Chris
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I found this post when trying to answer the same question. I have managed to do what I believe is being asked in this post and what I needed to do...
In my customers AD, they had 1 group which I wanted to retrieve all users from and populate onto a group on the FAC. This group will then be used for FortiToken mobile matching to AD username.
For the 'Remote Auth Servers > LDAP' I used the default attributes and just entered the IP, base DN, username & password. On clicking the browse icon, I could browse AD.
Under 'User Management > Remote user sync rules' I created a new entry using the 'Remote LDAP' I had just created, and using a filter of '(memberof=CN=Group-Name,OU=OU1,DC=domain,DC=CO,DC=NZ)'. I created a new 'Group to associate users with' and chose OK with the default values for everything else...
Lastly, I selected the new Remote user sync rule and clicked 'Manual sync'. This pulled only the AD users of the chosen AD group into the FAC.
FAC version = v3.00-build0180-20150428-patch00
AD (LDAP) Groups are used widely within FAC. Remote users can be imported using groups, see Remote User Sync Rules where you can specify an LDAP filter to select which user groups are imported. AD Groups can be used in Remote Groups configuration also by specifying an LDAP filter. They are also supported throughout the FSSO config. Perhaps specify what you are trying to achieve here.
The FortiAuthenticator Agent for Microsoft Windows is a special case as it is separate to the Appliance itself and currently it only supports user exceptions however there is a Feature Request to allow Group based exceptions.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
I found this post when trying to answer the same question. I have managed to do what I believe is being asked in this post and what I needed to do...
In my customers AD, they had 1 group which I wanted to retrieve all users from and populate onto a group on the FAC. This group will then be used for FortiToken mobile matching to AD username.
For the 'Remote Auth Servers > LDAP' I used the default attributes and just entered the IP, base DN, username & password. On clicking the browse icon, I could browse AD.
Under 'User Management > Remote user sync rules' I created a new entry using the 'Remote LDAP' I had just created, and using a filter of '(memberof=CN=Group-Name,OU=OU1,DC=domain,DC=CO,DC=NZ)'. I created a new 'Group to associate users with' and chose OK with the default values for everything else...
Lastly, I selected the new Remote user sync rule and clicked 'Manual sync'. This pulled only the AD users of the chosen AD group into the FAC.
FAC version = v3.00-build0180-20150428-patch00
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.