Policy not working on connected Zentyal LDAP server

Author
mikaellorenzo12
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/23 00:09:06
  • Status: offline
2019/09/23 00:50:19 (permalink)
0

Policy not working on connected Zentyal LDAP server

We already connected the AD of Zentyal server using the LDAP, but the policy is not working for the users. We use FSSO client for the connection but the fsso client can't see the logged on users.
 
Can someone help me? Thanks!.
#1

5 Replies Related Threads

    xsilver
    Expert Member
    • Total Posts : 444
    • Scores: 99
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Policy not working on connected Zentyal LDAP server 2019/09/23 02:06:30 (permalink)
    0
    Hi,
    how about some more complete config overview or config snippets?
    It's completely unclear if your policy is normal firewall or explicit proxy policy. If group you have mentioned is LDAP or FSSO type. And also what is supposed to be authenticated with that group.
     
    If it's FSSO, then you need connection first to get authenticated somewhere where SSO Agent or Collector can spot and process logon and create respective FSSO user record on collector and push it to connected FortiGates.
    So if group is FSSO then you should have users in 'diag debug auth fsso list' and as fsso type in 'diag fire auth list'. If you do not have FSSO users, then there is problem in SSO setup.
     
    If you use those groups in any active auth for VPN or WLC then those can not be SSO.

    Kind Regards,
    Tomas
    #2
    mikaellorenzo12
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/23 00:09:06
    • Status: offline
    Re: Policy not working on connected Zentyal LDAP server 2019/09/24 00:45:30 (permalink)
    0

    i can see my DC so my fortigate and AD server are connected, but i cant see who is logged on. I only do in my fortigate is LDAP connection and i follow all tutorial online, i don't know why i can't see the users who logged in

    Attached Image(s)

    #3
    xsilver
    Expert Member
    • Total Posts : 444
    • Scores: 99
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Policy not working on connected Zentyal LDAP server 2019/09/24 06:55:18 (permalink)
    0
    If you do have just one DC 192.168.3.13 then I would guess that you do not audit successful logons on DC.
    If you do have more than this one DC 192.168.3.13 handling your domain and you run in DCAgent mode as presence of agent suggests, then you need DCAgents installed on all the DC servers.
    If you do  ping -4 -n 2 %logonserver:~2%  from your workstation then you should see IP of the DC used by workstation for login verification. So if you do see 192.168.3.13 then logon server was chosen OK and you should see user logon data also in Windows Security Event log. If you do not see any logon event, then audit is disabled.
     

    Kind Regards,
    Tomas
    #4
    mikaellorenzo12
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/23 00:09:06
    • Status: offline
    Re: Policy not working on connected Zentyal LDAP server 2019/09/24 17:42:38 (permalink)
    0
    I have 2 DC but i turned off the other DC so i'm working with 1 DC now, and i can ping my logon server using the command you gave. BTW i'm using Zentyal, a linux based server so i think i can't install DCagent in my DC
    #5
    xsilver
    Expert Member
    • Total Posts : 444
    • Scores: 99
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Policy not working on connected Zentyal LDAP server 2019/09/25 00:07:08 (permalink)
    0
    wait a sec, that Zentyal is somehow emulating/doing DC job ?
    If that is your domain controller, not a Microsoft Server, then I guess it also do not generate correct/expected logon events and so we have nothing to work with in FSSO.
    FSSO with polling or in DCAgent mode is built to work with Microsoft Servers and list of compatible ones is part of FortiOS Release Notes compatibility/interoperability section. Anything else might work but is not tested, not guaranteed and not supported solution.

    Kind Regards,
    Tomas
    #6
    Jump to:
    © 2019 APG vNext Commercial Version 5.5