Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
pksubramanian
Staff
Staff

Created on ‎03-04-2020 12:59 AM Edited on ‎11-23-2022 07:58 AM By Moderator

Article Id 196887

Troubleshooting Tip: Group membership check fails with FortiAuthenticator as an LDAP server

Description


This article describes how to troubleshoot a situation where a group membership check fails when using FortiAuthenticator as an LDAP server.

 

Scope

 

FortiAuthenticator, FortiManager.

Solution


If FortiAuthenticator is configured as an LDAP server, an issue may occur where authentication seems to work as intended but fails only when trying authorize a user based on a group membership check.

 

Ensure the user showing up on the FortiAuthenticator LDAP Directory Tree was manually added into the user group:

Stephen_G_2-1669219015504.png

 

In the above example, the user 'test3' is mapped under the LDAP directory tree.

Stephen_G_1-1669219012413.png
 
However, 'test3' is not automatically added to the group. Add the user to the group as shown below.
 
Stephen_G_0-1669219009914.png
FortiAuthenticator does not automatically add users mapped under LDAP into user groups. This must be done manually.

 

Further Troubleshooting

 

The following diagnostic commands can be used for live debugging on FMG/FAZ while reproducing the logon issue:

 

# diag debug application fnbam 255  <- For FortiManager 6.4.2 and below

# diag debug application auth 255   -> For FortiManager 6.4.3 and above

514
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.