Hot!username-case-sensitivity global

Author
Basti
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/06/23 06:16:38
  • Status: offline
2021/06/23 06:20:28 (permalink)
0

username-case-sensitivity global

Hello, is it possible to disable remotely LDAP global sensitivity?
 
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50400
 
we have a lot of user and for every user disable via cli is really crazy....
 
thanks in advance
#1

2 Replies Related Threads

    srajeswaran_FTNT
    New Member
    • Total Posts : 10
    • Scores: 2
    • Reward points: 0
    • Joined: 2020/11/09 03:25:49
    • Status: offline
    Re: username-case-sensitivity global 2021/06/23 23:24:52 (permalink)
    0
    You may use some scripts to disable the option for all user. or using some text editor to edit the config file to add the additional line and then apply it.

    Regards,
    Suraj
    #2
    xsilver_FTNT
    Expert Member
    • Total Posts : 606
    • Scores: 163
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: username-case-sensitivity global 2021/06/24 12:53:22 (permalink)
    0
    Short intro:
    -------------
    LDAP is case insensitive.
     
    RADIUS can be made case insensitive per defined server ..
    config user radius
    edit <RADIUS-SERVER-NAME>
    set username-case-sensitive disable
    end
     
    LOCAL users on FortiOS are by default, as in any unix system, case sensitive.
     
    Therefore  if you do have local users, like that "r1" local user in mentioned KB. Where user type is radius or ldap.
    Then .. 
    - if the user is just ldap type, then it makes no sense to have him as local. And I would suggest to set ldap server as member of the user group instead of such users. So FortiGate will ask directly to LDAP server which is case insensitive.
    - if that user is type radius, then as stated above you have the option to make RADIUS requests case insensitive per server config. Again, having users local on FortiGate will make them case sensitive so add that server as member to user group instead of users and if you need to have those users case insensitive then apply server setting mentioned in intro.
    - if that user is either of types ldap or radius, and has set two-factor ! Because there is provided some sort of 2FA (token) and required 2FA authentication. Then this user starts to have ability to 'set username-case-sensitivity'. On per user basis only. There is no global setting AFAIK.


    REASONS - USUAL MISCONFIG
    -----------------------------------
    some admins do have user group used in VPN or policy set with members including such locally defined users, usually with two-factor set. BUT they sometimes include LDAP/RADIUS server there as additional member. Just with idea that those users without token will authenticate via LDAP member, and those with token will be forced to use it because they are members individually. Simply because local users do have precedence.
    Wrong. If the local user is defined as "tester" but user types "Tester" or "teSter" as his username, then he will NOT match to local user, but as there is mentioned fallback LDAP for example, which is case insensitive, then user will authenticate just fine against server itself. Actually avoiding any 2FA usage!
    That's what admin probably do not want to happen.
     
    Solutions:
    -----------
    - never ever combine locally defined remote (type ldap/radius) users with remote servers in one group
    - unless you truly know what you are doing and all the implications, then never ever "set all-usergroup enabled" under radius server
    - if you desperately need to have users and server mixed in one group and can not avoid it, then "set username-case-sensitivity disable" to enhance match ability of FortiOS to catch local user no matter the login name letters case
     
    CLI and crazy?
    ----------------
    Why don't you use any reasonable text editor, even something like Microsoft's Notepad do have ability to find+replace.
    So ..
    show user local | grep "type ldap" -f
    copy from SSH console to text editor
    as it is unimportant where you will set it then ..
    search for
    "
    set type ldap
    "
    and replace it with
    "
    set type ldap
    set username-case-sensitivity disable
    "
    simply to add one line
    apply to all suitable users
    you can remove any other lines .. to prevent token re-provision for example
    copy enhanced text from editor back to SSH console to overwrite actually existing users with enhanced set.
    done
    quick jig for few minutes, I guess

    Tom xSilver, planet Earth, over and out!
    #3
    Jump to:
    © 2021 APG vNext Commercial Version 5.5