Created on 03-04-2020 12:59 AM Edited on 11-23-2022 07:58 AM By Stephen_G
Description
This article describes how to troubleshoot a situation where a group membership check fails when using FortiAuthenticator as an LDAP server.
Scope
FortiAuthenticator, FortiManager.
Solution
If FortiAuthenticator is configured as an LDAP server, an issue may occur where authentication seems to work as intended but fails only when trying authorize a user based on a group membership check.
Ensure the user showing up on the FortiAuthenticator LDAP Directory Tree was manually added into the user group:
In the above example, the user 'test3' is mapped under the LDAP directory tree.
Further Troubleshooting
The following diagnostic commands can be used for live debugging on FMG/FAZ while reproducing the logon issue:
# diag debug application fnbam 255 <- For FortiManager 6.4.2 and below
# diag debug application auth 255 -> For FortiManager 6.4.3 and above
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.