AnsweredHot!Nested LDAP Groups for SSL VPN

Author
TEN IT
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/08 04:14:57
  • Status: offline
2018/08/08 04:29:11 (permalink) 5.6
0

Nested LDAP Groups for SSL VPN

Hello,
 
we are running on FortiOS 5.6.3.
I try to use nested LDAP Groups for Authentication.
Users Accounts are member of the LDAP Group: "GL_SSLVPN"
Global Group is member of "L_SSLVPN" Group 
The  "L_SSLVPN" Group should be authenticated in Fortigate.

As discribes here:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37091
 
the follwing Settings should be made:
config user ldap
edit "example.local"
set group-member-check user-attr
set search-type nested
next
end
 
But the "set search-type nested" value is not available in FortiOS 5.6.
Any idea how to implement nested LDAP Groups now, or isn't this possible anymore?
 
Regards 
Thomas
#1
xsilver
Expert Member
  • Total Posts : 449
  • Scores: 103
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Location: EMEA
  • Status: offline
Re: Nested LDAP Groups for SSL VPN 2018/08/08 05:18:23 (permalink) ☼ Best Answerby TEN IT 2018/08/11 02:41:56
0
Hi,
 
FOS 5.6 has replaced 'search-type nested' with more flexible group filter.
Use something like below in LDAP config:
set group-filter "(|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))"
 
Works for me on 5.6.4 build 1575, and should work for you as well.
 
EDIT-2018-09-04: summarized that in KB http://kb.fortinet.com/kb...amp;externalId=FD41657
post edited by xsilver_FTNT - 2018/09/04 00:24:48

Kind Regards,
Tomas
#2
thorn_FTNT
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/21 10:14:37
  • Status: offline
Re: Nested LDAP Groups for SSL VPN 2018/09/03 09:25:34 (permalink)
0
In 5.6,  nested group search option has been replaced with a group filter string. To support the retrieval of nested group information of primary group, add a "%pg" token in group filter along with "%u". So in order to get the full list of groups a user belong to please try the following filter:
 
config user ldap
    edit "AD-LDAP"
        set server ...
        set cnid "cn"
        set dn ...
        set type regular
        set username ...
        set password ...
        set group-filter "(|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))"
    next
end
#3
xsilver
Expert Member
  • Total Posts : 449
  • Scores: 103
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Location: EMEA
  • Status: offline
Re: Nested LDAP Groups for SSL VPN 2018/09/04 00:23:23 (permalink)
0
just to complete that, got nested LDAP change thing summarized in KB article
http://kb.fortinet.com/kb...amp;externalId=FD41657

Kind Regards,
Tomas
#4
ahualde
New Member
  • Total Posts : 5
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/10/04 02:40:10
  • Status: offline
Re: Nested LDAP Groups for SSL VPN 2019/10/04 02:41:42 (permalink)
0
I have the problem in 6.0.5
The command group-filter that you use and appears in the Technical note (https://kb.fortinet.com/kb/viewContent.do?externalId=FD41657&sliceId=1) it's not longer available in my CLI....
I try to use group-objec-filter command but no luck..
 
any idea?
 
#5
ahualde
New Member
  • Total Posts : 5
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/10/04 02:40:10
  • Status: offline
Re: Nested LDAP Groups for SSL VPN 2019/10/09 02:00:38 (permalink)
5 (1)
Solved.
this unit it's managed via FortiManager.
By default in Fortimanager the LDAP configuration has group-object-filter configured, since this last is there, the group-filter will not be available anymore under CLI.
We have deleted the group-object-filter from Fortimanager settings, and add the filter to the group-filter
After these changes the group-filter is working and nested group functioned as expected
#6
Jump to:
© 2019 APG vNext Commercial Version 5.5