Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff
Staff

Created on ‎09-09-2015 02:11 AM

Technical Note: LDAP Nested Group authentication for SSLVPN

Description
This article concerns LDAP authentication when groups are nested.

For example, User group DN is binded with:

CN=VPN, OU=Group, OU=1-Main Organization, DC=example, DC=local

and the actual user 'TestUser' belongs to another group, say 'IT Group' where 'IT Group' is a member of VPN group.

When the user tries to login to sslvpn webportal using 'TestUser', authentication will be denied, and the message on the SSLVPN debug would be:
"Auth failed due to group restrictions"
The actual user group DN will be shown.

When trying to login from the FortiGate CLI console, authentication succeeds.

Solution
Configure the following commands on the LDAP, it should be allow all the nested group information to be retrieved.
config user ldap
edit "example.local"
set group-member-check user-attr
set search-type nested
next
end

A query from the FortiGate CLI console should now show the nested group correctly.

Labels:
7097
0 Kudos
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.