Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Anil_Solakoglu
Staff
Staff

Created on ‎10-23-2023 12:48 AM Edited on ‎10-23-2023 12:49 AM By Moderator

Article Id 280333

Technical Tip: Differences between LDAP sync with with 7.0.9 and 7.2.2 EMS

Description The article describes the major differences between EMS 7.0.9 - 7.2.2.
Scope EMS, LDAP, Active Directory.
Solution

For 7.0.9:

The limitation for a single security group is a total of 1,500 users per security group.

If having 1501 users in a single security group this group assignment is totally receiving default policy instead of assigned one.

 

Anil_Solakoglu_0-1698008935004.png

 

Anil_Solakoglu_1-1698008935007.png

 

For the version 7.2.2, the picture is totally different.

First if trying with the same condition 1501 users in a single security group, the policy is still syncing correctly.

 

Anil_Solakoglu_2-1698008935008.png

 

Anil_Solakoglu_3-1698008935008.png

 

The limits have been forced a bit further and it has created 5001 users in a single security group. It is still getting the correct policy.

 

Anil_Solakoglu_4-1698008935010.png

 

Anil_Solakoglu_5-1698008935010.png

 

As a result, if the single security group has 1501 with 7.0.9 that means it is not going to receive a default policy because of the following reasons:

 

Default Value in AD.
MaxValRange - This value controls the number of values that are returned for an attribute of an object, independent of how many attributes that object has, or of how many objects were in the search result.


Minimum Value: 30.
Default value: 1500.

 

Windows Server 2008 and newer domain controller returns only 5000 values in an LDAP response

 

7.2.2 the total amount of users in a single security does not depend on the amount.

To check how many users are there in the security group via the following PowerShell command. 

 

(Get-ADGroup 1500_TEST -Properties *).Member.Count

 

1500_TEST should be replaced with the original group name. 

 

7.0.9:

The total amount on a single security group should be decreased below the max value limit of 1500 or as an alternative scenario Max value range should be increased from an AD perspective.  

In the AD server that is connected with EMS, open a CMD window as administrator and run the following commands:

 

ntdsutil.exe
LDAP policies
connections
connect to server localhost
q
set maxvalrange to 10000
show values
q
q

 

Try to sync the domain again.

 

**** Start Ntdsutil.exe


Ntdsutil.exe is located in the Support tools folder on the Windows installation CD-ROM. By default, Ntdsutil.exe is installed in the System32 folder.

Select Start, and then select Run. In the Open text box, type ntdsutil, and then press ENTER. To view help at any time, type? at the command prompt.
Labels:
377
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.