Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gthalassinos
New Contributor II

Show current LDAP users and force refresh of names and credentials

A Windows user was disabled at a client site and I was asked to verify whether he was still present and operational in the Firewall (and the SSL VPN users) and, if he was, I should disable/remove him.

 

First of all I found no means of getting the current known LDAP users in the FortiGate database. I could get the names of all the LDAP users if I tried to add a new remote user, but I am not sure that is a list from the Firewall database or an active one via the LDAP connectivity.

 

Then I tried to disable the user via a password change in the Windows AD. When I went to the LDAP Server to check the change via Test User Credentials, I would get a positive check whether I input the old or the new password.

 

Of course, in time, things settled and there was no positive check with the old password. Still I need a way to

1) display actual current LDAP user names known to the Firewall

2) force a refresh of the LDAP user names and their credentials

 

Any help will be greatly appreciated. Thanks in advance.

 

------------------------------------------------------------------------

FortiGate 50E, FortiOS v6.2.12 build1319 (GA) [latest available patch]

1 Solution
srajeswaran
Staff
Staff

You can view the cached users list as below.

1) Go to User & Devices -> User Definition -> Create New.
2) On 'User Type', choose 'Remote LDAP user' and select 'Next'.
3) On 'LDAP Server', select the LDAP server name and select 'Next'.


There is also option "Discard cache and download latest entries" as in below screenshot

srajeswaran_0-1678000165940.png

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

7 REPLIES 7
srajeswaran
Staff
Staff

Ideally the user should be present under "Monitor -> Firewall User Monitor" or "Monitor -> SSL-VPN Monitor".

You don't see the users here?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

gthalassinos

Hello Suraj,

 

I apologize for the delayed response. I am new to the Community and expected to be notified of any reply to my question via email, but that did not happen. And the "Email me when someone replies" option is checked.

 

No, I do not see users' names under Monitor, I only see the Forti User Group which lists the LDAP Server as its sole member which in turn shows a sole AD Security Group as selected. Which is fine, configuration wise, but not at all practical in the mentioned situation.

srajeswaran

I just checked in my device running 6.2 and I can see the active users are visible under the Monitor TAB. Non active users are not visible on FW list.

 

Active SSL VPN users:

srajeswaran_0-1677653745524.png

 

Active Firewall users:

srajeswaran_1-1677653764968.png

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Yurisk
Valued Contributor

Hi, 

what kind of LDAP integration you have - LDAP polling, FSSO agent ?

If you have FSSO Agent kind, then inside FSSO Agent GUI you can clear the cache  Collector Agent GUI -> Show Logon Users -> Clear user cache

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
gthalassinos
New Contributor II

Hi Yurisk,

 

I can not tell the type of integration. If it is a creation parameter I would not know anyway since I was not the one who set this up. Whatever the case may be, I do not seem to find the Collector Agent GUI in order to follow your instructions.

 

Regards

gthalassinos
New Contributor II

I probably do not relay info in the correct manner. Here are screenshots from the firewall.

 

Under "User & Device" > "User Groups" there is an "SSL_VPN_Users_Group" whose Member is the LDAP Server "Windows_AD"

gthalassinos_0-1677963476699.png

 

Under LDAP Servers there is only one Server : the aforementioned "Windows_AD"

gthalassinos_2-1677963911780.png

with the following configuration : 

gthalassinos_1-1677963887938.png

I am not trying to see Active Users' Names in the Monitor section.

I am trying to find a list of all actual Windows users in the "SSL_VPN_Users_Group" that are synced from the Windows Server and can *potentially* log in.

 

When I used the "Test User Credentials" feature, I was able to get a Successful result both with the old password as well as with the new. I assume therefore that there exists a cache which had not been cleared or fully resynced and allowed for both passwords to be accepted as correct.

 

I hope what I am saying is clearer now.

 

Thanks again. I am still not getting notified of your replies.

srajeswaran
Staff
Staff

You can view the cached users list as below.

1) Go to User & Devices -> User Definition -> Create New.
2) On 'User Type', choose 'Remote LDAP user' and select 'Next'.
3) On 'LDAP Server', select the LDAP server name and select 'Next'.


There is also option "Discard cache and download latest entries" as in below screenshot

srajeswaran_0-1678000165940.png

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Labels
Top Kudoed Authors