Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Piotras
New Contributor

Created on ‎10-09-2014 04:47 AM

LDAP Query

I have configured authentication for FSSO and i want create the report in FortiAnalyzer where user belongs to a particular group or organizational unit. Theoretically, i may use an LDAP Query, however, it is nowhere described as the benefit from this. Does anyone know how this works? FortiGate 5.2 FortiAnalyzer 5.2 FSSO 4.3.0156 - AD access mode: standard Regards
33358
0 Kudos
2 Solutions
hzhao_FTNT
Staff
Staff
In response to xinger

Created on ‎02-06-2015 08:59 AM

LDAP works OK on FAZ5.2.1 and 5.0.10. 

 

hz

View solution in original post

9125
0 Kudos
hzhao_FTNT
Staff
Staff
In response to LVARELA

Created on ‎01-12-2018 03:54 PM

Yes, we verified it OK on 5.6.1 release.

View solution in original post

9125
0 Kudos
19 REPLIES 19
hzhao_FTNT
Staff
Staff

Created on ‎10-09-2014 07:33 AM

1. Add and configue a LDAP server in GUI, please refer to: http://docs.fortinet.com/d/fortianalyzer-5.2.0-administration-guide Page 83 2. More advanced setting for ldap server in CLI if needed, please refer to: http://docs.fortinet.com/d/fortianalyzer-5.2.0-cli-reference Page 34 3. Enable LDAP query and apply group filter in report setting: http://docs.fortinet.com/d/fortianalyzer-5.2.0-administration-guide Page 170 4. Run report Regards, hz
5679
0 Kudos
Piotras
New Contributor

Created on ‎10-10-2014 04:35 AM

That' s what I did, but it didn' t work. I run a sniffer on the FAZ, and when I run the report I don' t see any traffic to Active Directory. config system admin ldap edit " Test" set server " 10.48.7.100" set cnid " cn" set dn " DC=domena,DC=wew" set type regular set username " CN=sc_FG,OU=Fortigate,OU=Systemy,DC=domena,DC=wew" set password ENC * set adom " all_adoms" next end
Preview file
33 KB
5679
0 Kudos
hzhao_FTNT
Staff
Staff
In response to Piotras

Created on ‎10-10-2014 08:03 AM

Hi Piotras, 1. Please check if you can query distinguished name in GUI. 2. Please check ldap server config again under CLI: conf sys admin ldap edit test get If filter and attributes are none, please set a proper value according to your ldap server config, for example: set filter (|(objectclass=person)(objectclass=user)) set attributes member,uniquemember end 3. Please disable case change, this feature is not functional because of a bug. Regards, hz
Preview file
70 KB
5679
0 Kudos
Piotras
New Contributor

Created on ‎10-12-2014 02:45 AM

Ad. 1 I can query distinguished name from GUI. Ad. 2 This is configuration LDAP from CLI: (Test)# get name : Test server : 10.48.7.100 cnid : cn dn : DC=domain,DC=local port : 389 type : regular username : * password : * group : (null) filter : (|(objectclass=person)(objectclass=user)) attributes : member,uniquemember secure : disable connect-timeout : 500 adom: == [ all_adoms ] adom-name: all_adoms Ad. 3 I disabled case change, but nothing has changed. Certainly in version 5.2, this functionality works correctly?
Preview file
86 KB
5679
0 Kudos
hzhao_FTNT
Staff
Staff
In response to Piotras

Created on ‎10-14-2014 07:29 AM

Hi Piotras, The basic LDAP feature should be working OK in 5.2.0 B618. Could you request a customer ticket and post your ticket number here? We may need look into your case closer. Regards, hz
5679
0 Kudos
xinger
New Contributor III
In response to Piotras

Created on ‎02-05-2015 10:07 PM

Did this get resolved?  Can someone post a solution?  Thanks!

 

5679
0 Kudos
hzhao_FTNT
Staff
Staff
In response to xinger

Created on ‎02-06-2015 08:59 AM

LDAP works OK on FAZ5.2.1 and 5.0.10. 

 

hz

9126
0 Kudos
xinger
New Contributor III
In response to hzhao_FTNT

Created on ‎02-08-2015 08:17 AM

hzhao_FTNT wrote:

LDAP works OK on FAZ5.2.1 and 5.0.10. 

 

Yes, it works on FAZ 5.2.1!  Thanks!  However, the feature still needs to be documented better (IMHO) and it still has a bug. 

 

The bug: A packet sniff showed me that the LDAP group query truncated my group name at the first blank.  When my report filter included "Group equal to ABC-XY-Information Technology", my report was empty and the LDAP packet showed only "ABC-XY-Information";  "Technology" had been truncated.  However, it worked when I renamed the group in my directory replacing the blank with a hyphen, and then filtering on "Group equal to ABC-XY-Information-Technology". 

 

The documentation: I had to use Change Case = Upper because user names are upper case in my Fortinet logs.  And here is what worked in my LDAP configuration (Windows Active Directory environment).

cnid                : cn dn                  : the distinguished name of either the root (dc=xyz,dc=com)

                      or the OU where the reporting groups are (ou=mygroups,dc=xyz,dc=com)

group               : (null) worked for me; I didn't experiment with values. filter              : I couldn't unset filter, but both of the following worked for me.

                      (|(objectclass=person)(objectclass=user))

                      (&(objectcategory=group)(member=*))

                      And seeing the these filter completely different objects,

                      I must conclude that this filter setting isn't used for report queries.

attributes          : member worked for me. I was unable to unset it.

                      I had mixed results when I tried setting it to other values.

5679
0 Kudos
hzhao_FTNT
Staff
Staff
In response to xinger

Created on ‎02-10-2015 10:59 AM

Hi Xinger,

 

Thanks for your detailed testing. For "Group equal to ABC-XY-Information Technology", could you try:

Group equal to "ABC-XY-Information Technology"

By design, when there is a space, we have to use double quotation in filter.

 

Regards,

hz

5679
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.