FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Article Id 195157

Description

 
This article concerns LDAP authentication when groups are nested.
'Enabling Active Directory recursive search' is a new feature that changes the default search behavior for user group memberships on Windows Active Directory (AD) LDAP servers.
By default, nested groups (groups that are members or other groups) are not searched, as this can slow down the group membership search.

For example, User group DN is bound with:

CN=VPN, OU=Group, OU=1-Main Organization, DC=example, DC=local

and the actual user 'TestUser' belongs to another group, say 'IT Group' where 'IT Group' is a member of VPN group.

When the user tries to login to sslvpn webportal using 'TestUser', authentication will be denied, and the message on the SSLVPN debug would be:
 
'Auth failed due to group restrictionsThe actual user group DN will be shown.

When trying to login from the FortiGate CLI console, authentication succeeds.
 
Scope
 
FortiGate.


Solution

 
Configure the following commands on the LDAP, it should be allow all the nested group information to be retrieved:
 
config user ldap
    edit "example.local"
        set group-member-check user-attr
        set search-type nested
    next
end
 

A query from the FortiGate CLI console should now show the nested group correctly.

Starting from v6.2.x version search-type option available is recursive:


set search-type recursive

 

config user ldap
    edit "ldap-Server"
        set server "x.x.x.x"
        set cnid "sAMAccountName"
        set dn "DC=fortinet,DC=local"
        set type regular
        set username "cn=Administrator,cn=users,dc=fortinet,dc=local"
        set password XXXXXXXXXXXXXXXXXXXXXXXX
        set search-type recursive
    next
end


Related documents:
FortiGate v6.2.0 active-directory-recursive-search-option 
FortiGate v7.4.x enabling-active-directory-recursive-search