Hot!Issue with Single Sign On

Author
jmckellep
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/12 13:52:10
  • Status: offline
2018/12/12 13:54:02 (permalink)
0

Issue with Single Sign On

I am having an issue where an AD group was moved from one OU to another and now the policies that reference that group no longer work. How do I add or edit the distinguished name of my ldap servers so that it includes another OU. Would I create a new ldap server and new single sign on to accomplish this? or could i edit the distinquished name to include 2 OU's? like OU=Name1,OU=Name2? Or can i just alter the distinguished group to just be the whole domain with all OU's?
#1

3 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 417
    • Scores: 87
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Issue with Single Sign On 2018/12/12 23:15:51 (permalink)
    0
    Hi,
    first of all LDAP is a TREE. So moving stuff around is change to the structure.
    If your firewall group points to CN=ADusergroup,OU=unitX,DC=example,DC=com and you move that ADusergroup into OU named unitY then whole path will be changed to CN=ADusergroup,OU=unitY,DC=example,DC=com !!
    And so firewall group bonded to path with unitX will no longer work as it points in wrong direction now.
    As you refer to Single Sign-On I guess we are talking about Fortinet SSO (FSSO).
    Then fix depends on where your FSSO Group Filters are defined.
    - if on FGT (as it might do local polling directly), then change them locally
    - if on standalone Collector Agent, and if FGT has LDAP in FSSO Agent, then change config here as it will push filter to Collector
    - if on standalone Collector and FGT do not have LDAP in FSSO Agent config, then change it on Collector and filter will be pulled from Collector to FGT
    - if on FortiAuthenticator, then change filters there

    Kind Regards,
    Tomas
    #2
    jmckellep
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/12/12 13:52:10
    • Status: offline
    Re: Issue with Single Sign On 2018/12/13 06:36:22 (permalink)
    0
    Hello. Thanks for the help. But I don't fully understand your answer. Let me show you my scenario.
    Under LDAP Servers I have 1 object. the distinguished name is ou=group1,dc=example,dc=com. 
    Then under single sign-on I have 1 object that polls that ldap server.
     
    The user was moved from ou=group1,dc=example,dc=com to ou=group2,dc=example,dc=com. So because of the way my LDAP Server and SSO is setup, I am unable to change the existing policy so that the user group points to this new group2 because I am only able to choose from a drop down list of objects under the ou=group1 tree.
     
     What I am wondering is if I could alter the existing LDAP server distinguished name to just dc=example,dc=com so that I can access all the groups under the top of the ldap tree, because group2 is on the same level in the tree as group1. Would this work and would it impact my firewall in terms of performance?
     
    Or, could I create a second LDAP server entry where the distinguished name is ou=group2,dc...etc. then create a second single sign-on entry that references this different LDAP server? Will that cause a conflict? Are you allowed to create more than 1 object pointing to the FSSO agent under single sign-on?
     
     
    post edited by jmckellep - 2018/12/13 06:48:25
    #3
    xsilver_FTNT
    Expert Member
    • Total Posts : 417
    • Scores: 87
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Issue with Single Sign On 2018/12/17 02:18:08 (permalink)
    0
    Hi,
     
    you probably do have something like this :
    -----------------------------------------------
    config user ldap
    edit "LDAP-SRV"
    set server "10.10.10.69"
    set cnid "cn"
    set dn "ou=group1,dc=example,dc=com"
    set type regular
    set username "cn=administrator,cn=Users,ou=group1,dc=example,dc=com"
    ...
    and then used in FSSO Agent ..
    config user fsso
    edit "FSSO-LDAP-SRV"
    set server "10.10.10.69"
    set ldap-server "LDAP-SRV"
    next
    end
    ...
    and then used in AD groups (those selected from LDAP and Group Filtered on Collector ..
    config user adgrp
    edit "CN=Domain Users,CN=Users,ou=group1,dc=example,dc=com"
    set server-name "FSSO-LDAP-SRV"
    next
    end
    ...
    and then this AD group used in FW group which will be in some policy ...
    config user group
    edit "SSO_Guest_Users"
    next
    edit "Guest-group"
    set member "guest"
    next
    edit "AD_DOMAIN_USERS"
    set group-type fsso-service
    set member "CN=Domain Users,CN=Users,ou=group1,dc=example,dc=com"
    next
     
    So your limitation is in LDAP-SRV config pointing to BaseDN = "ou=group1,dc=example,dc=com", which is not allowing you to see stuff like "ou=group2,dc=example,dc=com".
    If access privileges of the user used for LDAP allows you to see "dc=example,dc=com", then shorten base DN to start search in upper part of the tree.
    If you just moved all users from group1 to group2, then you can also directly change adgrp config part.

    Kind Regards,
    Tomas
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5