Fortinet black logo

Administration Guide

FortiGate cannot match right group

FortiGate cannot match right group

Assuming that LDAP lookup found the computer on the LDAP directory:

[750] fnbamd_ldap_build_dn_search_req-base:'dc=fortiad,dc=info' filter:(&(userPrincipalName=WIN10-01.fortiad.info)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info'

Next it searches for the groups that this computer belongs to:

[649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'

[661] fnbamd_ldap_build_attr_search_req-base:'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info' filter:cn=*

Search returns multiple groups:

[532] __retrieve_group_values- attr='memberOf', found 1 values

[542] __retrieve_group_values-val[0]='CN=VPNComputers,CN=Users,DC=fortiad,DC=info'

[472] __get_one_group-group: CN=Domain Computers,CN=Users,DC=fortiad,DC=info

However, group matching fails:

[1074] fnbamd_cert_auth_copy_cert_status-Matched peer user 'PKI-LDAP-Machine'

[833] fnbamd_cert_check_matched_groups-checking group with name 'PKI-Machine-Group'

[903] fnbamd_cert_check_matched_groups-not matched

Verify group-name in the LDAP setting:

config user group
    edit "PKI-Machine-Group"
        set member "LDAP-fortiad-Machine" "PKI-LDAP-Machine"
        config match
            edit 1
                set server-name "LDAP-fortiad-Machine"
                set group-name "CN=VPNComputers,DC=fortiad,DC=info"
            next
        end
    next
end

Since group-name is missing CN=Users, group matching failed.

FortiGate cannot match right group

Assuming that LDAP lookup found the computer on the LDAP directory:

[750] fnbamd_ldap_build_dn_search_req-base:'dc=fortiad,dc=info' filter:(&(userPrincipalName=WIN10-01.fortiad.info)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info'

Next it searches for the groups that this computer belongs to:

[649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'

[661] fnbamd_ldap_build_attr_search_req-base:'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info' filter:cn=*

Search returns multiple groups:

[532] __retrieve_group_values- attr='memberOf', found 1 values

[542] __retrieve_group_values-val[0]='CN=VPNComputers,CN=Users,DC=fortiad,DC=info'

[472] __get_one_group-group: CN=Domain Computers,CN=Users,DC=fortiad,DC=info

However, group matching fails:

[1074] fnbamd_cert_auth_copy_cert_status-Matched peer user 'PKI-LDAP-Machine'

[833] fnbamd_cert_check_matched_groups-checking group with name 'PKI-Machine-Group'

[903] fnbamd_cert_check_matched_groups-not matched

Verify group-name in the LDAP setting:

config user group
    edit "PKI-Machine-Group"
        set member "LDAP-fortiad-Machine" "PKI-LDAP-Machine"
        config match
            edit 1
                set server-name "LDAP-fortiad-Machine"
                set group-name "CN=VPNComputers,DC=fortiad,DC=info"
            next
        end
    next
end

Since group-name is missing CN=Users, group matching failed.