Description
If special characters are entered in the Distinguished Name for LDAP, FortiOS will alert with the message : The following characters are not allowed: < > ( ) # " ' ".
This article provides a workaround this restriction.
Scope
FortiOS v4.0 MR2 Patch 11
FortiOS v4.0 MR6 Patch 6
Solution
The workaround is to use a backslash followed by the hex of the ASCII character. The hex values corresponding to these special characters are:
> = 3e < = 3c ( = 28 ) = 29 # = 23 " = 22 ' = 27 |
For example ou=<>()#"' can be entered on the web based manager as ou=\3c\3e\28\29\23\22\27
Or configure the following via the FortiOS CLI:
config user ldap edit "ldap" set server "192.168.1.34" set cnid "cn" set dn "ou=\\3c\\3e\\28\\29\\23\\22\\27,DC=tac,DC=forti,DC=cn" set filter '' next end |
The special character functionality can be tested by using the following debug:
FG50BH3G09600138 # diag de application fnbamd -1 FG50BH3G09600138 # diag test authserver ldap ldap test 123 fnbamd_fsm.c[1010] handle_req-Rcvd auth req 15728654 for test in ldap opt=27 prot=0 fnbamd_ldap.c[485] resolve_ldap_FQDN-Resolved address 192.168.1.34, result 192.168.1.34 fnbamd_ldap.c[374] start_multi_attribute_lookup-Adding attr 'memberOf' fnbamd_ldap.c[390] start_multi_attribute_lookup-base:'cn=test,ou=\3c\3e\28\29\23\22\27,DC=tac,DC=forti,DC=cn' filter:cn=* fnbamd_ldap.c[1278] fnbamd_ldap_get_result-Entering CHKUSERATTRS state fnbamd_fsm.c[1334] poll_ldap_servers-Continue pending for req 15728654 fnbamd_ldap.c[417] get_member_of_groups-Get the memberOf groups. fnbamd_ldap.c[436] get_member_of_groups-attr='memberOf' - found 0 values fnbamd_ldap.c[1292] fnbamd_ldap_get_result-Auth accepted fnbamd_ldap.c[1307] fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth.c[1543] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.1.34 is SUCCESS fnbamd_auth.c[1564] fnbamd_auth_poll_ldap-Skipping group matching fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 0 for req 15728654 authenticate 'test' against 'ldap' succeeded! |