There are many options when troubleshooting in FortiGate firewalls. ... Full Story
By Manny Fernandez
February 23, 2021
Querying Nested LDAP Groups on the FortiGate
Use case: When dealing with LDAP queries, sometime you have issues with using nested groups. That is, you have a group called Full Access
and inside that group, you add Domain Admins
. You could run into a situation where the query would not see the username manny_admin
as an example in the group even though manny_admin
is a member of Domain Admins
.
Lets assume you have already configured LDAP for your authentication. If not, I have plenty of articles with different options.
config user ldap edit "DC01" set server "10.1.1.11" set cnid "sAMAccountName" set dn "dc=myinfoseclab,dc=com" set type regular set username "ldapsvc@myinfoseclab.com" set password ENC MTAwNIqIwCqnqXcuPuFods/e/E2cEqGBCXUCqLRQqcttZT7vwN78EaITXO/HPDMd7oLBC4Ae1E2cEqGBCXUCqLRQqcga4pHp3vP1skMZlFbZGLKMnVrbqNTz+p4/baVS4u5qjKHT3pJy6YftjQrsqis6wDGxL88vLtPXX75V6wlW2AQvUSAZO71gljG7h5zg== next edit "DC02" set server "10.1.1.12" set cnid "sAMAccountName" set dn "dc=myinfoseclab,dc=com" set type regular set username "ldapsvc@myinfoseclab.com" set password ENC MTAwNIqIwCqnqXcuPuFods/e/E2cEqGBCXUCqLRQqcvttZT7vwN78EaITXO/HPDMd7oLBC4Ae1E2cEqGBCXUCqLRQqcga4pHp3vP1skMZlFbZGLKMnVrbqNTz+p4/baVS4u5qjKHT3pJy6YftjQrsqis6wDGxL88vLtPXX75V6wlW2AQvUSAZO71gljG7h5zg== next end
Above is an example of the LDAP configuration from the CLI.
By default, nested groups (groups that are members or other groups) are not searched in Windows Active Directory (AD) LDAP servers because this can slow down the group membership search. There is an option in FortiOS to enable the searching of nested groups for user group memberships on AD LDAP servers.
In order to enable recursive searches
or nested searches, you can add the following command to your LDAP configuration.
set search-type recursive
The config should look like the snippet below.
config user ldap edit "DC01" set server "10.1.1.11" set cnid "sAMAccountName" set dn "dc=myinfoseclab,dc=com" set type regular set username "ldapsvc@myinfoseclab.com" set password ENC MTAwNIqIwCqnqXcuPuFods/e/E2cEqGBCXUCqLRQqcttZT7vwN78EaITXO/HPDMd7oLBC4Ae1E2cEqGBCXUCqLRQqcga4pHp3vP1skMZlFbZGLKMnVrbqNTz+p4/baVS4u5qjKHT3pJy6YftjQrsqis6wDGxL88vLtPXX75V6wlW2AQvUSAZO71gljG7h5zg== set search-type recursive next edit "DC02" set server "10.1.1.12" set cnid "sAMAccountName" set dn "dc=myinfoseclab,dc=com" set type regular set username "ldapsvc@myinfoseclab.com" set password ENC MTAwNIqIwCqnqXcuPuFods/e/E2cEqGBCXUCqLRQqcvttZT7vwN78EaITXO/HPDMd7oLBC4Ae1E2cEqGBCXUCqLRQqcga4pHp3vP1skMZlFbZGLKMnVrbqNTz+p4/baVS4u5qjKHT3pJy6YftjQrsqis6wDGxL88vLtPXX75V6wlW2AQvUSAZO71gljG7h5zg== set search-type recursive next end
That’s it. That should work now.
NOTE: This feature does not work with open ldap and other supported LDAP servers from the FortiGate. This is Microsoft specific.
Hope this helps.
Recent posts
-
-
Have you ever had an IPS signature that continues... Full Story
-
Use case: Customer has a Split Tunnel Enabled but... Full Story