Description
If special characters are entered in the Distinguished Name for LDAP, FortiOS will alert with the message : The following characters are not allowed: < > ( ) # " ' ".
This article provides a workaround this restriction.
Scope
FortiOS v4.0 MR2 Patch 11
FortiOS v4.0 MR6 Patch 6
Solution
The workaround is to use a backslash followed by the hex of the ASCII character. The hex values corresponding to these special characters are:
> = 3e
< = 3c
( = 28
) = 29
# = 23
" = 22
' = 27 |
For example ou=<>()#"' can be entered on the web based manager as ou=\3c\3e\28\29\23\22\27
Or configure the following via the FortiOS CLI:
config user ldap
edit "ldap"
set server "192.168.1.34"
set cnid "cn"
set dn "ou=\\3c\\3e\\28\\29\\23\\22\\27,DC=tac,DC=forti,DC=cn"
set filter ''
next
end |
The special character functionality can be tested by using the following debug:
FG50BH3G09600138 # diag de application fnbamd -1
FG50BH3G09600138 # diag test authserver ldap ldap test 123
fnbamd_fsm.c[1010] handle_req-Rcvd auth req 15728654 for test in ldap opt=27 prot=0
fnbamd_ldap.c[485] resolve_ldap_FQDN-Resolved address 192.168.1.34, result 192.168.1.34
fnbamd_ldap.c[374] start_multi_attribute_lookup-Adding attr 'memberOf'
fnbamd_ldap.c[390] start_multi_attribute_lookup-base:'cn=test,ou=\3c\3e\28\29\23\22\27,DC=tac,DC=forti,DC=cn' filter:cn=*
fnbamd_ldap.c[1278] fnbamd_ldap_get_result-Entering CHKUSERATTRS state
fnbamd_fsm.c[1334] poll_ldap_servers-Continue pending for req 15728654
fnbamd_ldap.c[417] get_member_of_groups-Get the memberOf groups.
fnbamd_ldap.c[436] get_member_of_groups-attr='memberOf' - found 0 values
fnbamd_ldap.c[1292] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1307] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1543] fnbamd_auth_poll_ldap-Result for ldap svr 192.168.1.34 is SUCCESS
fnbamd_auth.c[1564] fnbamd_auth_poll_ldap-Skipping group matching
fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 0 for req 15728654
authenticate 'test' against 'ldap' succeeded! |
