FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mdeparisse_FTNT
Purpose
This article explains how to allow the administration access to the FortiAnalyzer for one LDAP users group without configuring each user account on the FortiAnalyzer.

Scope
This article describes how to configure the administrator accounts for the FortiAnalyzer using the LDAP users with the wildcard setting.

Diagram
   
Expectations, Requirements
The users defined on the LDAP group should login even they do not have the administrator accounts defined on the FortiAnalyzer.

It is necessary to have configured the LDAP server with the users group for the Administrators.

Configuration
In order to allow a user LDAP group to login to the FortiAnalyzer it is necessary to configure:
# config system admin ldap
edit "LDAP_OMAR"
set server "192.168.157.99"    >>>> The LDAP server IP
set cnid "sAMAccountName"
set dn "DC=tacfortimex,DC=loc"
set type regular
set username "tacfortimex\\Administrador"
set password ENC  hdgywsr$52h$nfd
set group "CN=fazusers,DC=tacfortimex,DC=loc"    >>>>  Select the user group for the FortiAnalyzer administrators that were created on the LDAP server
set filter "(|(objectclass=person)(objectclass=user)(description=Admin))"
set adom "all_adoms"
next
end

ojacinto_FD38567_tn_FD38567-6.jpg

Then create a user account with the wildcard setting enabled.
config system admin user
edit "fazusers"
set profileid "Super_User"    >>>> Select the profile administrator as required
set adom "all_adoms"
set policy-package "all_policy_packages"
set user_type ldap
set ldap-server "LDAP_OMAR"
set wildcard enable     >>>> Wildcard allows the users on the selected LDAP group to login to the FortiAnalyzer without configuring any other administrator account for that user

ojacinto_FD38567_tn_FD38567-2.jpg

It is then necessary to configure on the LDAP users group on the description field "Admin" word:

ojacinto_FD38567_tn_FD38567-3.jpg

ojacinto_FD38567_tn_FD38567-4.jpg

Verification
After the configuration, access can be tested for the administrator users.

Enable debug.
# diagnose debug application fnbam 255
# diagnose debug timestamp enable
# diagnose debug enable
Since version 6.4.5.
# diagnose debug application auth 8
# diagnose debug timestamp enable
# diagnose  debug en
For fortinet1 administrator account:

FAZ1000D # fam_authenticate_user: User 'fortinet1' not found - using wildcard templatefnbamd_fsm.c[1070] handle_req-Rcvd auth req 1097334784 for fortinet1 in LDAP_OMAR opt=27 prot=9
fnbamd_ldap.c[719] resolve_ldap_FQDN-Resolved address 192.168.157.99, result 192.168.157.99
fnbamd_ldap.c[235] start_search_dn-base:'DC=tacfortimex,DC=loc' filter:sAMAccountName=fortinet1
fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet1,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[374]start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1097334784
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet4,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet1,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1097334784
fam_authenticate_user: remote authentication succeeded


ojacinto_FD38567_tn_FD38567-5.jpg

For fortinet2 administrator account:

fnbamd_ldap.c[1014] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[269] get_all_dn-Found DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[283] get_all_dn-Found 746087789 DN's
fnbamd_ldap.c[313] start_next_dn_bind-Trying DN 1:CN=fortinet2,DC=tacfortimex,DC=loc
fnbamd_ldap.c[1052] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[374] start_search_grp-base:'CN=fazusers,DC=tacfortimex,DC=loc' filter:(|(objectclass=person)(objectclass=user)(description=Admin))
fnbamd_ldap.c[1141] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[1384] poll_auth-Continue pending for req 1115422720
fnbamd_ldap.c[445] chk_grp-checking group:'CN=fazusers,DC=tacfortimex,DC=loc', attr:'member'
fnbamd_ldap.c[455] chk_grp-Found 3 members
fnbamd_ldap.c[458] chk_grp-checking member:'CN=fortinet2,DC=tacfortimex,DC=loc'
fnbamd_ldap.c[462] chk_grp-Group membership is good
fnbamd_ldap.c[1219] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1229] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1470] fnbamd_auth_poll-Result for ldap svr 192.168.157.99 is SUCCESS
fnbamd_comm.c[117] fnbamd_comm_send_result-Sending result 0 for req 1115422720
fam_authenticate_user: remote authentication succeeded


ojacinto_FD38567_tn_FD38567-6.jpg

Contributors