Description
This article describes how to solve an issue where the WAD user group is not updated after changing user group in AD. For example, if user A was in user group 1 but moved to user group 2 in AD.
Scope
All currently supported versions of FortiProxy.
Solution
This issue is caused by the LDAP user cache in FortiProxy.
If the user already authenticated, deauthenticate the user first:
To do this in the GUI, select the user and select Deauthenticate.
To do this in the CLI, first find the username:
# diagnose firewall auth list
Next, deauthenticate the user:
# diagnose wad user clear <ID> <IP> <VDOM>
Clear the WAD LDAP cache and refresh:
# diagnose wad ldap user clear
# diagnose wad ldap user refresh
The user group will be updated after FortiProxy receives a new, successful authentication attempt from the user.
An alternative method to prevent this issue is to disable the WAD LDAP cache:
# config web-proxy global
set ldap-user-cache disable
end
Enable = LDAP auth is performed on the basis of WAD user-info.
Disable = LDAP auth is performed with fnbamd.
Note that the 'ldap-user-cache' option only works with a Windows AD. For any other vendors, such as a Novel e-directory LDAP server, the 'ldap-user-cache' option should be disabled.
