AnsweredHot!Nested LDAP Groups for SSL VPN

Author
TEN IT
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/08 04:14:57
  • Status: offline
2018/08/08 04:29:11 (permalink) 5.6
0

Nested LDAP Groups for SSL VPN

Hello,
 
we are running on FortiOS 5.6.3.
I try to use nested LDAP Groups for Authentication.
Users Accounts are member of the LDAP Group: "GL_SSLVPN"
Global Group is member of "L_SSLVPN" Group 
The  "L_SSLVPN" Group should be authenticated in Fortigate.

As discribes here:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37091
 
the follwing Settings should be made:
config user ldap
edit "example.local"
set group-member-check user-attr
set search-type nested
next
end
 
But the "set search-type nested" value is not available in FortiOS 5.6.
Any idea how to implement nested LDAP Groups now, or isn't this possible anymore?
 
Regards 
Thomas
#1
xsilver_FTNT
Expert Member
  • Total Posts : 417
  • Scores: 87
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: Nested LDAP Groups for SSL VPN 2018/08/08 05:18:23 (permalink) ☼ Best Answerby TEN IT 2018/08/11 02:41:56
0
Hi,
 
FOS 5.6 has replaced 'search-type nested' with more flexible group filter.
Use something like below in LDAP config:
set group-filter "(|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))"
 
Works for me on 5.6.4 build 1575, and should work for you as well.
 
EDIT-2018-09-04: summarized that in KB http://kb.fortinet.com/kb...amp;externalId=FD41657
post edited by xsilver_FTNT - 2018/09/04 00:24:48

Kind Regards,
Tomas
#2
thorn_FTNT
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/21 10:14:37
  • Status: offline
Re: Nested LDAP Groups for SSL VPN 2018/09/03 09:25:34 (permalink)
0
In 5.6,  nested group search option has been replaced with a group filter string. To support the retrieval of nested group information of primary group, add a "%pg" token in group filter along with "%u". So in order to get the full list of groups a user belong to please try the following filter:
 
config user ldap
    edit "AD-LDAP"
        set server ...
        set cnid "cn"
        set dn ...
        set type regular
        set username ...
        set password ...
        set group-filter "(|(&(objectclass=group)(member:1.2.840.113556.1.4.1941:=%u))(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%pg)))"
    next
end
#3
xsilver_FTNT
Expert Member
  • Total Posts : 417
  • Scores: 87
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: Nested LDAP Groups for SSL VPN 2018/09/04 00:23:23 (permalink)
0
just to complete that, got nested LDAP change thing summarized in KB article
http://kb.fortinet.com/kb...amp;externalId=FD41657

Kind Regards,
Tomas
#4
Jump to:
© 2019 APG vNext Commercial Version 5.5