- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL-VPN with Certificate and LDAP Group Search
Hi,
I have the following customer requirement:
Access with a browser and client certifacte to the fortigate SSL-VPN-Portal. Authorization is with the certificate but the group assignment should be done by asking the LDAP. With the CN of the certificate the LDAP is asked for the groups, the user belongs to.
I was able to configure the certificate based authentication but i didn't managed it to ask the ldap after the group the user belongs to. Additionally, if i add the user manually to more than one user group in the fortinet, only the first user group is assigned. The issue is that i need the user assigned to more than one group depending on his belonging in the ldap.
i tried to use the following configuration for the pki user:
config user peer edit "borgmda" set cn "borgmda" set ldap-server "NSN_NEDI-W-SSL-2" set ldap-mode principal-name next
end
config user ldap edit "NSN_NEDI-W-SSL-2" set server "10.159.0.138" set secondary-server "10.135.48.5" set cnid "sAMAccountName" set dn "ou=gms,ou=groups,dc=nsn-intra,dc=net" set type regular set username ****** (username that has right to access the ldap, test via gui is ok)
set password ****
next
end
config user group edit "I_EXT_SSL_INTRA" set member "NSN_NEDI-W-SSL-2" "NSN_NEDI-W-SSL-2_users" "borgmda" config match edit 1 set server-name "NSN_NEDI-W-SSL-2" set group-name "CN=I_EXT_NSN_SSL_NSNINTRA,OU=Security,OU=GMS,OU=Groups,DC=nsn-intra,DC=net" next edit 2 set server-name "NSN_NEDI-W-SSL-2_users" set group-name "CN=I_EXT_NSN_SSL_NSNINTRA,OU=Security,OU=GMS,OU=Groups,DC=nsn-intra,DC=net" next end next end
debugging show the following:
2016-02-10 14:09:58 [29102:partners:53]SSL_accept returned 0.
2016-02-10 14:09:58 [29102:partners:53]Destroy sconn 0x2a9a05e400, connSize=0. (partners)
2016-02-10 14:10:01 [29103:partners:53]allocSSLConn:245 sconn 0x2a9a05e400 (1:partners)
2016-02-10 14:10:01 [29103:partners:53]SSL established: TLSv1.2 ECDHE-RSA-AES256-SHA384
2016-02-10 14:10:01 [29103:partners:53]rmt_authutil.c:418 no session id in auth info
2016-02-10 14:10:01 [29103:partners:53]rmt_authutil.c:701 invalid cache, ret=4103
2016-02-10 14:10:01 [29103:partners:53]doing authentication for 1 group(s).
2016-02-10 14:10:01 fnbamd_fsm.c[2143] handle_req-Rcvd auth_cert req id=1073869796
2016-02-10 14:10:01 fnbamd_auth.c[1309] check_cert-CA found: CA_Cert_14
2016-02-10 14:10:01 fnbamd_auth.c[1605] cert_check_group_list-checking group type 1 group name 'I_EXT_NSN_SSL_NSNINTRA'
2016-02-10 14:10:01 fnbamd_auth.c[1498] check_add_peer-check peer user 'borgmda' in group 'I_EXT_NSN_SSL_NSNINTRA', result is 4
2016-02-10 14:10:01 fnbamd_auth.c[1630] cert_check_group_list-Status pending for group 'I_EXT_NSN_SSL_NSNINTRA'
2016-02-10 14:10:01 fnbamd_ldap.c[998] resolve_ldap_FQDN-Resolved address 10.159.0.138, result 10.159.0.138
2016-02-10 14:10:01 fnbamd_ldap.c[998] resolve_ldap_FQDN-Resolved address 10.135.48.5, result 10.135.48.5
2016-02-10 14:10:01 fnbamd_ldap.c[443] start_search_dn-base:'ou=gms,ou=groups,dc=nsn-intra,dc=net' filter:userPrincipalName=
2016-02-10 14:10:01 fnbamd_ldap.c[1736] fnbamd_ldap_get_result-Going to SEARCH state
2016-02-10 14:10:01 fnbamd_fsm.c[1503] auth_cert_ldap_result-Continue pending for req 1073869796
2016-02-10 14:10:01 fnbamd_ldap.c[486] get_all_dn-Found no DN
2016-02-10 14:10:01 fnbamd_ldap.c[2031] fnbamd_ldap_get_result-Auth denied
2016-02-10 14:10:01 fnbamd_auth.c[1886] fnbamd_auth_cert_poll-Result for ldap svr[0] '10.159.0.138' is DENY
2016-02-10 14:10:01 fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 1 for req 1073869796
I am wondering if there is anything wrong with the ldap search. from the documentation they assume wrong credentials. And what i think is missing is the filter:userPrincipalName=????? where's my user 'borgmda'? this is the user after i would like to search in the ldap to get the belonging groups.
any ideas?
bye
Daniel