Per-device mapping for LDAP and FSSO user groups 7.0.2
Per-device mapping has been added for Firewall and FSSO group types.
To use per-device mapping in Firewall and FFSO user groups:
- Go to Policy & Objects > Object Configurations >User & Authentication > User Groups.
- Create an FSSO, Firewall user, and Firewall LDAP remote server dynamic user groups to different FortiGate VDOMs (root and v1 in this example).
- FSSO dynamic user group.
- Firewall dynamic user group.
- Firewall LDAP remote authentication server dynamic user group.
- FSSO dynamic user group.
- Go to Policy & Objects > Policy Packages, and use the user groups in a new or existing policy.
- Install the policy to the two different FortiGate VDOMs.
The copy log and installation log show that the dynamic mappings for user groups are installed to the different FortiGate VDOMs respectively.- Copy Log
>>>>>FGVM01SYNTAX0013>>>>>>>>>>>>>>>>>>>>>>>>>>> config vdom edit root config user ldap edit "taj-ldap-server" set server "10.2.78.8" set cnid "cn" set dn "dc=fssotest,dc=com" set type regular set username "cn=administrator,cn=users,dc=fssotest,dc=com" set password ENC Z8Zpc/bwU2j1HxCFsp0zLVsmpXEWQQvc6JVoYq8gt3RKcH0GzuPHQAo4U0l/tm1eYnZMKjWCX/cNxSUWvk/Pp83EjgGWe4Yf5H4VtPLEeCadn6Q8PJZpITqMLtBJUry6CETGGrnY0gfHZINWaIya9QDGbOZ3BOBKw1sj9Wf6CHNSUfQ2 next end config user local edit "guest" set type password set passwd ENC Z8Zpc/bwU2j1HxCFWzO/XkWz1iNBDsh5b97WAaOc878PeL/elqx7TGytfdtUQRfwtzxmM/u3O09SixVeQ5b325brkt7Zmd4nlu1m17oIqaTLJYHUUtgURVHU4D8BONVV2bh+WbXaWcVyU5CwLaIQ3EbwOdPuhJjStZLpJYeW4sFljHnH next end config user group edit "dynaFSSO" set group-type fsso-service set member "FSSOTEST/ADMINISTRATORS" next edit "dynaLDAP" set member "taj-ldap-server" config match edit 1 set server-name "taj-ldap-server" set group-name "CN=Access Control Assistance Operators,CN=Builtin,DC=fssotest,DC=com" next end next edit "dynaUser" set member "guest" next end config firewall policy edit 1 unset groups set groups "dynaFSSO" "dynaLDAP" "dynaUser" next end next edit v1 config user ldap edit "taj-ldap-server" set server "10.2.78.8" set cnid "cn" set dn "dc=fssotest,dc=com" set type regular set username "cn=administrator,cn=users,dc=fssotest,dc=com" set password ENC Z8Zpc/bwU2j1HxCFsp0zLVsmpXEWQQvc6JVoYq8gt3RKcH0GzuPHQAo4U0l/tm1eYnZMKjWCX/cNxSUWvk/Pp83EjgGWe4Yf5H4VtPLEeCadn6Q8PJZpITqMLtBJUry6CETGGrnY0gfHZINWaIya9QDGbOZ3BOBKw1sj9Wf6CHNSUfQ2 next end config user local edit "taj-local-user" set type password set two-factor sms set sms-phone "13333333" set passwd ENC Z8Zpc/bwU2j1HxCFgvSKuX7rw3RdHEDq+jYKXUC2d4iY6HcNL4G3Q/FvS+3nbU0LaifZNMFfwuDuzMjOipkcYVOZWmpLT7r0fdMMEhkOdznooELXW85UNGzeQVsMc+PzAFnZM/szwaPWWToS6YRXVgguUF0b5FIk/070eHkl8CArGC5s next end config user group edit "dynaFSSO" set group-type fsso-service set member "FSSOTEST/BACKUP OPERATORS" next edit "dynaLDAP" set member "taj-ldap-server" config match edit 1 set server-name "taj-ldap-server" set group-name "CN=Backup Operators,CN=Builtin,DC=fssotest,DC=com" next end next edit "dynaUser" set member "taj-local-user" next end config firewall policy edit 1 unset groups set groups "dynaFSSO" "dynaLDAP" "dynaUser" next end end
- Install Log
Starting log (Run on device) Start installing FGVM01SYNTAX0013 $ config vdom FGVM01SYNTAX0013 (vdom) $ edit root current vf=root:0 FGVM01SYNTAX0013 (root) $ config user ldap FGVM01SYNTAX0013 (ldap) $ edit "taj-ldap-server" FGVM01SYNTAX0013 (taj-ldap-server) $ set server "10.2.78.8" FGVM01SYNTAX0013 (taj-ldap-server) $ set cnid "cn" FGVM01SYNTAX0013 (taj-ldap-server) $ set dn "dc=fssotest,dc=com" FGVM01SYNTAX0013 (taj-ldap-server) $ set type regular FGVM01SYNTAX0013 (taj-ldap-server) $ set username "cn=administrator,cn=users,dc=fssotest,dc=com" FGVM01SYNTAX0013 (taj-ldap-server) $ set password ********** FGVM01SYNTAX0013 (taj-ldap-server) $ next FGVM01SYNTAX0013 (ldap) $ end FGVM01SYNTAX0013 (root) $ config user local FGVM01SYNTAX0013 (local) $ edit "guest" FGVM01SYNTAX0013 (guest) $ set type password FGVM01SYNTAX0013 (guest) $ set passwd ************************************************************************************************************************************************************************************************************ FGVM01SYNTAX0013 (guest) $ next FGVM01SYNTAX0013 (local) $ end FGVM01SYNTAX0013 (root) $ config user group FGVM01SYNTAX0013 (group) $ edit "dynaFSSO" FGVM01SYNTAX0013 (dynaFSSO) $ set group-type fsso-service FGVM01SYNTAX0013 (dynaFSSO) $ set member "FSSOTEST/ADMINISTRATORS" FGVM01SYNTAX0013 (dynaFSSO) $ next FGVM01SYNTAX0013 (group) $ edit "dynaLDAP" FGVM01SYNTAX0013 (dynaLDAP) $ set member "taj-ldap-server" FGVM01SYNTAX0013 (dynaLDAP) $ config match FGVM01SYNTAX0013 (match) $ edit 1 FGVM01SYNTAX0013 (1) $ set server-name "taj-ldap-server" FGVM01SYNTAX0013 (1) $ set group-name "CN=Access Control Assistance Operators,CN=Builtin,DC=fssotest,DC=com" FGVM01SYNTAX0013 (1) $ next FGVM01SYNTAX0013 (match) $ end FGVM01SYNTAX0013 (dynaLDAP) $ next FGVM01SYNTAX0013 (group) $ edit "dynaUser" FGVM01SYNTAX0013 (dynaUser) $ set member "guest" FGVM01SYNTAX0013 (dynaUser) $ next FGVM01SYNTAX0013 (group) $ end FGVM01SYNTAX0013 (root) $ config firewall policy FGVM01SYNTAX0013 (policy) $ edit 1 FGVM01SYNTAX0013 (1) $ unset groups FGVM01SYNTAX0013 (1) $ set groups "dynaFSSO" "dynaLDAP" "dynaUser" FGVM01SYNTAX0013 (1) $ next FGVM01SYNTAX0013 (policy) $ end FGVM01SYNTAX0013 (root) $ next FGVM01SYNTAX0013 (vdom) $ edit v1 current vf=v1:1 FGVM01SYNTAX0013 (v1) $ config user ldap FGVM01SYNTAX0013 (ldap) $ edit "taj-ldap-server" FGVM01SYNTAX0013 (taj-ldap-server) $ set server "10.2.78.8" FGVM01SYNTAX0013 (taj-ldap-server) $ set cnid "cn" FGVM01SYNTAX0013 (taj-ldap-server) $ set dn "dc=fssotest,dc=com" FGVM01SYNTAX0013 (taj-ldap-server) $ set type regular FGVM01SYNTAX0013 (taj-ldap-server) $ set username "cn=administrator,cn=users,dc=fssotest,dc=com" FGVM01SYNTAX0013 (taj-ldap-server) $ set password ********** FGVM01SYNTAX0013 (taj-ldap-server) $ next FGVM01SYNTAX0013 (ldap) $ end FGVM01SYNTAX0013 (v1) $ config user local FGVM01SYNTAX0013 (local) $ edit "taj-local-user" FGVM01SYNTAX0013 (taj-local-user) $ set type password FGVM01SYNTAX0013 (taj-local-user) $ set two-factor sms FGVM01SYNTAX0013 (taj-local-user) $ set sms-phone "13333333" FGVM01SYNTAX0013 (taj-local-user) $ set passwd ********* FGVM01SYNTAX0013 (taj-local-user) $ next FGVM01SYNTAX0013 (local) $ end FGVM01SYNTAX0013 (v1) $ config user group FGVM01SYNTAX0013 (group) $ edit "dynaFSSO" FGVM01SYNTAX0013 (dynaFSSO) $ set group-type fsso-service FGVM01SYNTAX0013 (dynaFSSO) $ set member "FSSOTEST/BACKUP OPERATORS" FGVM01SYNTAX0013 (dynaFSSO) $ next FGVM01SYNTAX0013 (group) $ edit "dynaLDAP" FGVM01SYNTAX0013 (dynaLDAP) $ set member "taj-ldap-server" FGVM01SYNTAX0013 (dynaLDAP) $ config match FGVM01SYNTAX0013 (match) $ edit 1 FGVM01SYNTAX0013 (1) $ set server-name "taj-ldap-server" FGVM01SYNTAX0013 (1) $ set group-name "CN=Backup Operators,CN=Builtin,DC=fssotest,DC=com" FGVM01SYNTAX0013 (1) $ next FGVM01SYNTAX0013 (match) $ end FGVM01SYNTAX0013 (dynaLDAP) $ next FGVM01SYNTAX0013 (group) $ edit "dynaUser" FGVM01SYNTAX0013 (dynaUser) $ set member "taj-local-user" FGVM01SYNTAX0013 (dynaUser) $ next FGVM01SYNTAX0013 (group) $ end FGVM01SYNTAX0013 (v1) $ config firewall policy FGVM01SYNTAX0013 (policy) $ edit 1 FGVM01SYNTAX0013 (1) $ unset groups FGVM01SYNTAX0013 (1) $ set groups "dynaFSSO" "dynaLDAP" "dynaUser" FGVM01SYNTAX0013 (1) $ next FGVM01SYNTAX0013 (policy) $ end FGVM01SYNTAX0013 (v1) $ end ---> generating verification report <--- done generating verification report
- Copy Log
- After the install is finished, the FortiGate VDOMs get the correct user groups.
- Root VDOM
- v1 VDOM
- Root VDOM