Re: LDAP, recursion, AD Groups and buffers? (AD Fabric Connector)
thanks for "his contribution to life's richness" , it made my day, still smiling a bit.
Yes, too many groups might bring you troubles with authd/fssod (FSSO).
Therefore I would strongly suggest to use Group Filters for every FSSO setup, and not just for situations where someone's colleague got over-creative with group amounts or naming.
As this way your FortiGate (FGT hereinafter) will get a list of just user groups truly and intentionally used in FSSO and firewall policies.
Not just everything and even system groups like "CN=FAC OPERATORS" :-D
If you set your FGT and FSSO connector with LDAP, then choose just groups you are interested in, and your Collector is standalone one, then during connection to this Collector FGT will push group filter, specific for this FGT, to Collector's Group Filter. And you might be fine.
It might be desirable to set FSSO connector without LDAP on FGT, and so Group Filter (either specific one for this particular FGT, or Global one) will govern which groups will be pulled from Collector to FGT.
Either way gathered/set, those will appear in CLI as records under 'config user adgrp'.
And then could be used in firewall user groups for later use in firewall policies.
With FortiAuthenticator (FAC hereinafter) as Collector Agent, there is a difference that groups are always pulled from FAC to FGT. So having LDAP in FSSO connector towards FAC is useless.