Technical Tip: LDAP Nested Group authentication for SSL VPN

Somashekara_Hanumant · ‎09-09-2015

Description

This article concerns LDAP authentication when groups are nested.
'Enabling Active Directory recursive search' is a new feature that changes the default search behavior for user group memberships on Windows Active Directory (AD) LDAP servers.
By default, nested groups (groups that are members or other groups) are not searched, as this can slow down the group membership search.

For example, User group DN is bound with:

CN=VPN, OU=Group, OU=1-Main Organization, DC=example, DC=local

and the actual user 'TestUser' belongs to another group, say 'IT Group' where 'IT Group' is a member of VPN group.

When the user tries to login to sslvpn webportal using 'TestUser', authentication will be denied, and the message on the SSLVPN debug would be:

'Auth failed due to group restrictions' The actual user group DN will be shown.

When trying to login from the FortiGate CLI console, authentication succeeds.

Scope

FortiGate.

Solution

Configure the following commands on the LDAP, it should be allow all the nested group information to be retrieved:

config user ldap
edit "example.local"
set group-member-check user-attr
set search-type nested
next
end

A query from the FortiGate CLI console should now show the nested group correctly.

Starting from v6.2.x version search-type option available is recursive:

set search-type recursive

config user ldap
edit "ldap-Server"
set server "x.x.x.x"
set cnid "sAMAccountName"
set dn "DC=fortinet,DC=local"
set type regular
set username "cn=Administrator,cn=users,dc=fortinet,dc=local"
set password XXXXXXXXXXXXXXXXXXXXXXXX
set search-type recursive
next
end

Related documents:
FortiGate v6.2.0 active-directory-recursive-search-option
FortiGate v7.4.x enabling-active-directory-recursive-search

Technical Tip: LDAP Nested Group authentication for SSL VPN

You are leaving our website