Re: username-case-sensitivity global
LDAP is case insensitive.
RADIUS can be made case insensitive per defined server ..
config user radius
set username-case-sensitive disable
LOCAL users on FortiOS are by default, as in any unix system, case sensitive.
Therefore if you do have local users, like that "r1" local user in mentioned KB. Where user type is radius or ldap.
- if the user is just ldap type, then it makes no sense to have him as local. And I would suggest to set ldap server as member of the user group instead of such users. So FortiGate will ask directly to LDAP server which is case insensitive.
- if that user is type radius, then as stated above you have the option to make RADIUS requests case insensitive per server config. Again, having users local on FortiGate will make them case sensitive so add that server as member to user group instead of users and if you need to have those users case insensitive then apply server setting mentioned in intro.
- if that user is either of types ldap or radius, and has set two-factor ! Because there is provided some sort of 2FA (token) and required 2FA authentication. Then this user starts to have ability to 'set username-case-sensitivity'. On per user basis only. There is no global setting AFAIK.
REASONS - USUAL MISCONFIG
some admins do have user group used in VPN or policy set with members including such locally defined users, usually with two-factor set. BUT they sometimes include LDAP/RADIUS server there as additional member. Just with idea that those users without token will authenticate via LDAP member, and those with token will be forced to use it because they are members individually. Simply because local users do have precedence.
Wrong. If the local user is defined as "tester" but user types "Tester" or "teSter" as his username, then he will NOT match to local user, but as there is mentioned fallback LDAP for example, which is case insensitive, then user will authenticate just fine against server itself. Actually avoiding any 2FA usage!
That's what admin probably do not want to happen.
- never ever combine locally defined remote (type ldap/radius) users with remote servers in one group
- unless you truly know what you are doing and all the implications, then never ever "set all-usergroup enabled" under radius server
- if you desperately need to have users and server mixed in one group and can not avoid it, then "set username-case-sensitivity disable" to enhance match ability of FortiOS to catch local user no matter the login name letters case
CLI and crazy?
Why don't you use any reasonable text editor, even something like Microsoft's Notepad do have ability to find+replace.
show user local | grep "type ldap" -f
copy from SSH console to text editor
as it is unimportant where you will set it then ..
set type ldap
and replace it with
set type ldap
set username-case-sensitivity disable
simply to add one line
apply to all suitable users
you can remove any other lines .. to prevent token re-provision for example
copy enhanced text from editor back to SSH console to overwrite actually existing users with enhanced set.
quick jig for few minutes, I guess
Tom xSilver, planet Earth, over and out!