Created on 09-30-2015 02:46 AM Edited on 08-25-2022 10:30 AM By Anonymous
Description
Solution
The users will be using their logon name (sAMAccountName attribute) on the FortiManager/FortiAnalyzer logon prompt.
OU 'RemoteAdmins' contains the security groups 'fmgAdmins' and 'fmgAdminsRO', and service user 'firewalls'.
And second server object (AD2) for the 'fmgAdminsRO' group.
To configure the same via CLI, use:
# config system admin ldap
edit "AD1"
set server "10.0.0.1"
set secondary-server "10.0.0.2"
set port 389
set cnid "sAMAccountName"
set dn "DC=triton,DC=lab"
set type regular
set username "CN=firewalls,OU=RemoteAdmins,DC=triton,DC=lab"
set password ADpaSSword!2#
set group CN=fmgAdmins,OU=RemoteAdmins,DC=triton,DC=lab
set filter (&(objectcategory=group)(member=*))
next
end
# config system admin user
edit "RemoteAdmins"
set profileid "Super_User"
set adom "all_adoms"
set policy-package "all_policy_packages"
set user_type ldap
set ldap-server "AD1"
set wildcard enable
next
end
# config system admin ldap
edit "AD2"
set server "10.0.0.1"
set secondary-server "10.0.0.2"
set port 389
set cnid "sAMAccountName"
set dn "DC=triton,DC=lab"
set type regular
set username "CN=firewalls,OU=RemoteAdmins,DC=triton,DC=lab"
set password ADpaSSword!2#
set group CN=fmgAdminsRO,OU=RemoteAdmins,DC=triton,DC=lab
set filter (&(objectcategory=group)(member=*))
next
end
# config system admin user
edit "RemoteAdmins"
set profileid "Read_User"
set adom "FortiAnalyzer"
set policy-package "all_policy_packages"
set user_type ldap
set ldap-server "AD2"
set wildcard enable
next
end
Note: If same AD group is set in both AD1 and AD2 or if the same server is used in multiple wildcard admins, the system will always match only the first object as in the CLI configuration order.
For the correct setup with same server used in multiple wildcard admins, see Variant 2 below.
Variant 2 (available from version 6.2 onward)
Another option to configure multiple admin objects, without separate server for each of them, is by using 'set ext-auth-group-match'
In the LDAP server object (System Settings - > Admin - > Remote Authentication Servers)
- leave the 'group' field blank.
- in 'memberof-attr' type the name of the attribute, defining the group membership within the users' attributes.
Since this is an Active Directory example, that attribute name is 'memberOf'.
In this scenario, the group is configured in the wildcard admin, which allows the creation of multiple wildcard admin objects, matching different directory groups, but all under single LDAP server object.
Next, go to System Settings - > Admin - > Administrators and create the two wildcard administrators, required for assigning different permissions.
To configure the same via CLI, use:
# config system admin ldap
edit "AD2"
set server "10.0.2.1"
set secondary-server "10.0.2.2"
set port 389
set cnid "sAMAccountName"
set dn "DC=triton,DC=lab"
set type regular
set username "CN=firewalls,OU=RemoteAdmins,DC=triton,DC=lab"
set password ADpaSSword!2#
set memberof-attr "memberOf"
unset group
set filter (objectclass=*)
next
end
# config system admin user
edit "RemoteSuperAdmins"
set profileid "Super_User"
set user_type ldap
set ldap-server "AD2"
set wildcard enable
set ext-auth-group-match "fmgAdmins"
next
edit "RemoteReadAdmins"
set profileid "Read_User"
set adom "root"
set adom-access specify
set policy-package "all_policy_packages"
set user_type ldap
set ldap-server "AD2"
set wildcard enable
set ext-auth-group-match "fmgAdminsRO"
next
end
NOTE: In both scenarios described above, if no group is defined, but 'Match all users on remote server' (wildcard) is enabled, all directory users will be allowed to login.
Troubleshooting
The following diagnostic commands can be used for live debugging while reproducing the logon issue:
# diag debug application fnbam 255 <- Up to version 6.4.2
# diag debug application auth 255 -> From version 6.4.3
The output is similar in both cases and is fairly easy understand.
If one needs to open a support ticket for LDAP authentication or authorization issues, collect this debug output and attach it, together with the system config from CLI or a full backup file.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.