Helpful ReplyHot!LDAP Query

Author
Piotras
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/10/11 04:30:34
  • Status: offline
2014/10/09 04:47:49 (permalink)
0

LDAP Query

I have configured authentication for FSSO and i want create the report in FortiAnalyzer where user belongs to a particular group or organizational unit. Theoretically, i may use an LDAP Query, however, it is nowhere described as the benefit from this. Does anyone know how this works?

FortiGate 5.2
FortiAnalyzer 5.2
FSSO 4.3.0156 - AD access mode: standard

Regards
#1
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
RE: LDAP Query 2014/10/09 07:33:29 (permalink)
0
1. Add and configue a LDAP server in GUI, please refer to: http://docs.fortinet.com/d/fortianalyzer-5.2.0-administration-guide Page 83
2. More advanced setting for ldap server in CLI if needed, please refer to: http://docs.fortinet.com/d/fortianalyzer-5.2.0-cli-reference Page 34
3. Enable LDAP query and apply group filter in report setting: http://docs.fortinet.com/d/fortianalyzer-5.2.0-administration-guide Page 170
4. Run report

Regards,
hz
#2
Piotras
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/10/11 04:30:34
  • Status: offline
RE: LDAP Query 2014/10/10 04:35:57 (permalink)
0
That' s what I did, but it didn' t work.
I run a sniffer on the FAZ, and when I run the report I don' t see any traffic to Active Directory.

config system admin ldap
edit " Test"
set server " 10.48.7.100"
set cnid " cn"
set dn " DC=domena,DC=wew"
set type regular
set username " CN=sc_FG,OU=Fortigate,OU=Systemy,DC=domena,DC=wew"
set password ENC *
set adom " all_adoms"
next
end



< Message edited by Piotras -- 10/10/2014 4:44:22 AM >

Attached Image(s)

#3
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
RE: LDAP Query 2014/10/10 08:03:31 (permalink)
0
Hi Piotras,

1. Please check if you can query distinguished name in GUI.
2. Please check ldap server config again under CLI:
conf sys admin ldap
edit test
get

If filter and attributes are none, please set a proper value according to your ldap server config, for example:
set filter (|(objectclass=person)(objectclass=user))
set attributes member,uniquemember
end
3. Please disable case change, this feature is not functional because of a bug.

Regards,
hz

Attached Image(s)

#4
Piotras
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/10/11 04:30:34
  • Status: offline
RE: LDAP Query 2014/10/12 02:45:02 (permalink)
0
Ad. 1
I can query distinguished name from GUI.



Ad. 2
This is configuration LDAP from CLI:

(Test)# get
name : Test
server : 10.48.7.100
cnid : cn
dn : DC=domain,DC=local
port : 389
type : regular
username : *
password : *
group : (null)
filter : (|(objectclass=person)(objectclass=user))
attributes : member,uniquemember
secure : disable
connect-timeout : 500
adom:
== [ all_adoms ]
adom-name: all_adoms

Ad. 3
I disabled case change, but nothing has changed.

Certainly in version 5.2, this functionality works correctly?
< Message edited by Piotras -- 10/12/2014 2:48:27 AM >

Attached Image(s)

#5
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
RE: LDAP Query 2014/10/14 07:29:07 (permalink)
0
Hi Piotras,

The basic LDAP feature should be working OK in 5.2.0 B618. Could you request a customer ticket and post your ticket number here? We may need look into your case closer.

Regards,
hz
#6
xinger
Bronze Member
  • Total Posts : 23
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/12/04 09:31:04
  • Status: offline
Re: RE: LDAP Query 2015/02/05 22:07:49 (permalink)
0
Did this get resolved?  Can someone post a solution?  Thanks!
 
#7
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
Re: RE: LDAP Query 2015/02/06 08:59:12 (permalink) ☄ Helpfulby xinger 2015/02/08 06:17:52
0
LDAP works OK on FAZ5.2.1 and 5.0.10. 
 
hz
#8
xinger
Bronze Member
  • Total Posts : 23
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/12/04 09:31:04
  • Status: offline
Re: RE: LDAP Query 2015/02/08 08:17:02 (permalink)
0
hzhao_FTNT
LDAP works OK on FAZ5.2.1 and 5.0.10. 

 
Yes, it works on FAZ 5.2.1!  Thanks!  However, the feature still needs to be documented better (IMHO) and it still has a bug. 
 
The bug: A packet sniff showed me that the LDAP group query truncated my group name at the first blank.  When my report filter included "Group equal to ABC-XY-Information Technology", my report was empty and the LDAP packet showed only "ABC-XY-Information";  "Technology" had been truncated.  However, it worked when I renamed the group in my directory replacing the blank with a hyphen, and then filtering on "Group equal to ABC-XY-Information-Technology". 
 
The documentation: I had to use Change Case = Upper because user names are upper case in my Fortinet logs.  And here is what worked in my LDAP configuration (Windows Active Directory environment).
cnid                : cn
dn                  : the distinguished name of either the root (dc=xyz,dc=com)
                      or the OU where the reporting groups are (ou=mygroups,dc=xyz,dc=com)
group               : (null) worked for me; I didn't experiment with values.
filter              : I couldn't unset filter, but both of the following worked for me.
                      (|(objectclass=person)(objectclass=user))
                      (&(objectcategory=group)(member=*))
                      And seeing the these filter completely different objects,
                      I must conclude that this filter setting isn't used for report queries.
attributes          : member worked for me. I was unable to unset it.
                      I had mixed results when I tried setting it to other values.
#9
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
Re: RE: LDAP Query 2015/02/10 10:59:46 (permalink)
0
Hi Xinger,
 
Thanks for your detailed testing. For "Group equal to ABC-XY-Information Technology", could you try:
Group equal to "ABC-XY-Information Technology"
By design, when there is a space, we have to use double quotation in filter.
 
Regards,
hz
#10
xinger
Bronze Member
  • Total Posts : 23
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/12/04 09:31:04
  • Status: offline
Re: RE: LDAP Query 2015/02/10 11:30:27 (permalink)
0
hzhao_FTNT
could you try: Group equal to "ABC-XY-Information Technology"
By design, when there is a space, we have to use double quotation in filter.
 



I hadn't thought to do that, so I've tried it now.  However I'm unable to type double quotation within that field.  I can type all other "special characters", but not the double quotation mark.  I can't even paste a double quotation into the field. Weird.  I've tried with both Chrome and IE11.
#11
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
Re: RE: LDAP Query 2015/02/10 11:36:05 (permalink)
0
You are right, I can not input double quotation either. I will check with dev team to see if it is a bug or new design.
 
Thanks,
hz
#12
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
Re: RE: LDAP Query 2015/02/10 14:03:35 (permalink)
0
Confirmed from GUI team. It is a new feature that we do not allow user to input double quotation. When user input space, double quotation will be added automatically. We do have issue for query group name contains space, it will return (false) in back end. I will open a bug for it.
 
Thanks,
hz
#13
LVARELA
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/01/12 07:30:57
  • Status: offline
Re: RE: LDAP Query 2018/01/12 07:56:04 (permalink)
0
I want to create a FortiAnalyzer report where user belongs to a particular group or organizational unit.
LDAP Query option in report filter is still working for this purpose in 5.6.1 ?
#14
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
Re: RE: LDAP Query 2018/01/12 15:54:48 (permalink) ☄ Helpfulby LVARELA 2018/01/15 11:34:06
5 (1)
Yes, we verified it OK on 5.6.1 release.
#15
LVARELA
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/01/12 07:30:57
  • Status: offline
Re: RE: LDAP Query 2018/01/15 07:06:07 (permalink)
0
Thanks.
 
There's a step by step guide to get it working?
I tried using GUI and CLI as mentioned in this thread but filter don't work.
I can't filter reports based on LDAP OU.
#16
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
Re: RE: LDAP Query 2018/01/15 10:06:10 (permalink)
0
Hi there, if you followed steps in above threads but ldap filter still doesn't work, please open a support ticket in FortiCare.
 
Regards,
hz
#17
AtiT
Gold Member
  • Total Posts : 440
  • Scores: 32
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
Re: RE: LDAP Query 2018/05/04 12:50:05 (permalink)
0
Hello,
I have a request from the customer to search for the users in LDAP and create a report according to the group membership which is exatly what is described above.
My problem is that we have KERBEROS authentication when the username in the logs looks like this: username@DOMAIN.COM
 
Probably that is the problem as the LDAP query returns the results such as: CN=user,OU=test,DC=domain,DC=com
The CN is returned as a result but not the UPN (userPrincipalName) - the UPN should help maybe?
 
Is there a solution to get it work with KERBEROS authenticated users?

AtiT
--------------------
NSE 8, CCNP R+S
#18
hzhao_FTNT
Expert Member
  • Total Posts : 337
  • Scores: 54
  • Reward points: 0
  • Joined: 2014/09/12 10:03:54
  • Status: offline
Re: RE: LDAP Query 2018/05/04 14:55:29 (permalink)
0
Hi AtiT,
 
I don't have environment for LDAP with KERBEROS, maybe you can modify your ldap server setting on FAZ with UPN and give it a try:
config sys admin ldap
ed <ldap-server>
set cnid userPrincipalName
set attributes member,userPrincipalName
end
 
post edited by hzhao_FTNT - 2018/05/04 15:06:11
#19
AtiT
Gold Member
  • Total Posts : 440
  • Scores: 32
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
Re: RE: LDAP Query 2018/05/05 02:28:12 (permalink)
0
Thank you for your reply, unfortunatelly it does not work.

AtiT
--------------------
NSE 8, CCNP R+S
#20
Jump to:
© 2018 APG vNext Commercial Version 5.5