Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
WWT
New Contributor

LDAP authentication - group membership missing?

We upgraded our Fortigate 200D to firmware v6.0.0 on Tuesday and since then, some users have been unable to connect to the VPN.

 

In my testing I've found what I think is the cause but haven't been able to fix it.   After the upgrade, when some users authenticate to the LDAP server(s) the password check succeeds but no AD group membership information is returned.

 

For example:

 

diag test authserver ldap LDAPSERVER username1 password1

 

gives us:

authenticate 'username1' against 'LDAPSERVER' succeeded!

Group membership(s) - CN=group1,OU=blahblah,DC=contoso,DC=com

                                   CN=group2,OU=blahblah,DC=contoso,DC=com

                                   etc.

 

however

diag test authserver ldap LDAPSERVER username2 password2

 

gives us:

authenticate 'username2' against 'LDAPSERVER' succeeded!

 

The second user's groups are not displayed, and the second user is given an invalid permissions error when trying to log in to the VPN.   These users can be in the same groups and in the OU in Active Directory - it appears to be random for who is affected.

 

 

 

I will be downgrading back to 5.6.4 if I can't figure this out, but I'd rather get it resolved.

1 Solution
Toshi_Esumi
Esteemed Contributor III

6.0.1 release notes has this in resolved issues.

483553   In case there are multiple LDAP search results for the same LDAP search query, LDAP group match fails. But I would just go back whatever working before.

View solution in original post

5 REPLIES 5
Toshi_Esumi
Esteemed Contributor III

6.0.1 release notes has this in resolved issues.

483553   In case there are multiple LDAP search results for the same LDAP search query, LDAP group match fails. But I would just go back whatever working before.
WWT

Interesting.    I guess I'll downgrade for now and wait for 6.0.1 to become available.

 

Thank you!

Toshi_Esumi
Esteemed Contributor III

It's available now. Otherwise, we can't download the release notes.

WWT

That's even better.  I see it's available for manual download/installation, it just wasn't showing up on the Fortigate itself as an available upgrade. I'll try 6.0.1 tonight, thank you again.

WWT
New Contributor

6.0.1 resolved the issue.

 

 

Labels
Top Kudoed Authors