Hot!Collector Agent LDAP Group Refresh

Author
Raf
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/02 06:49:01
  • Status: offline
2019/04/02 07:09:29 (permalink)
0

Collector Agent LDAP Group Refresh

Hi,
 
Does anyone know how often Collector Agent synchronises LDAP user/group membership? I can't seem to find any setting/timer for this. Basically wondering how long it will take for it to be reflected on the FortiGate, when a new user is assigned to a given group in AD. Assuming, the group itself is already in the group filter, sent to the the FGT and configured there. Is there a timer for it that can be changed? or is the only option for the user to log out and log in again?
 
Thanks,
Rafal
 
 
#1

2 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 432
    • Scores: 93
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Collector Agent LDAP Group Refresh 2019/04/03 02:32:45 (permalink)
    5 (2)
    If your scenario is like this .. 
    1. user logs in workstation (WKS)
    2. user is not seen in FSSO
    3. user was not member but now he was added as member of AD group which is in Group Filter
    4. user is still not in FSSO user list
     
    Then it is expected as at user's logon he was not part of any monitored AD group. Simply by adding user to the group you will not get user re-evaluated. Because his logon event was already processed.
    And so user will not be seen in FSSO by design until he makes any authenticated action like logoff-login or accessing network folder somewhere on domain which also is authenticated action.


    In case the user group membership changes, like he was part of monitored group A and was moved to group B but he haven't made any authenticated action and his membership from FSSO and so FGT standpoint is still group A.
    If he will make authenticated action, then his membership will be re-evaluated if there is no group cache set.
    If he will not make any authenticated action, then his group membership will not be re-evaluated unless you set  "grouplookupinterval" config key in registry where Collector Agent runs.
     

    Kind Regards,
    Tomas
    #2
    Raf
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/02 06:49:01
    • Status: offline
    Re: Collector Agent LDAP Group Refresh 2019/04/03 08:34:32 (permalink)
    0
    Actually, once you mentioned group lookup, I found it it in the advanced settings and it worked exactly as expcted. when set for example to 5 minutes, it will update group membership every 5 minutes, even without user logging out and back in.
    Thanks for your help
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5