LDAP, recursion, AD Groups and buffers? (AD Fabric Connector)

Author
Jond
Bronze Member
  • Total Posts : 21
  • Scores: 2
  • Reward points: 0
  • Joined: 2011/11/14 05:38:48
  • Status: offline
2020/09/07 03:55:18 (permalink)
0

LDAP, recursion, AD Groups and buffers? (AD Fabric Connector)

Hi there,
 
A colleague decided that structuring Active Directory Groups was his contribution to life's richness.
 
On some users, when recursion is enabled, I get a list of 100's of groups.
 
My question is... could this cause issues with the FSSO fabric connector?  I'm getting some inconsistency with authentication which seems to go away without recursion.
 
Any thoughts?
 
Cheers

Jon
 
#1

1 Reply Related Threads

    xsilver
    Expert Member
    • Total Posts : 539
    • Scores: 135
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: LDAP, recursion, AD Groups and buffers? (AD Fabric Connector) 2020/09/10 03:15:54 (permalink)
    0
    Hi Jon,
    thanks for "his contribution to life's richness" , it made my day, still smiling a bit.
     
    Yes, too many groups might bring you troubles with authd/fssod (FSSO).
     
    Therefore I would strongly suggest to use Group Filters for every FSSO setup, and not just for situations where someone's colleague got over-creative with group amounts or naming.
    As this way your FortiGate (FGT hereinafter) will get a list of just user groups truly and intentionally used in FSSO and firewall policies.
    Not just everything and even system groups like "CN=FAC OPERATORS" :-D
     
    If you set your FGT and FSSO connector with LDAP, then choose just groups you are interested in, and your Collector is standalone one, then during connection to this Collector FGT will push group filter, specific for this FGT, to Collector's Group Filter. And you might be fine.
    It might be desirable to set FSSO connector without LDAP on FGT, and so Group Filter (either specific one for this particular FGT, or Global one) will govern which groups will be pulled from Collector to FGT.
    Either way gathered/set, those will appear in CLI as records under 'config user adgrp'.
    And then could be used in firewall user groups for later use in firewall policies.
     
    With FortiAuthenticator (FAC hereinafter) as Collector Agent, there is a difference that groups are always pulled from FAC to FGT. So having LDAP in FSSO connector towards FAC is useless.
     

    Kind Regards,
    Tomas
    #2
    Jump to:
    © 2020 APG vNext Commercial Version 5.5