search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.45k stars 897 forks source link

Issue: Authentik LDAP provider with FortiGate #7985

Open MahmoudBehery opened 10 months ago

MahmoudBehery commented 10 months ago

Describe your question/ Hello Folks,

Trying to use Authentik LDAP provider with FortiGate. Configuration is Good. Test User Credentials is Good. forti-testuser

But FortiGate can't list LDAP hierarchy [no OUs listed]. forti-userq

Tried same configuration with OpenLDAP and it's working without any issues. OLDAP

for some reason when using Auth LDAP, Forti tries to filter using: (objectClass=organizationalUnit) however for openldap it uses: (|(objectClass=organizationalUnit)(objectClass=organization)(objectClass=dcObject))"_**

full ldap logs below.

Do you know how it can get it works?

Relevant infos FortiGate: 7.0.13 and 6.0.4

Screenshots If applicable, add screenshots to help explain your problem.

Logs

OpenLDAP logs:

65883a4c conn=1009 fd=15 ACCEPT from IP=10.11.66.51:6200 (IP=0.0.0.0:10389) 65883a4c conn=1009 op=0 BIND dn="cn=admin,dc=planetexpress,dc=com" method=128 65883a4c conn=1009 op=0 BIND dn="cn=admin,dc=planetexpress,dc=com" mech=SIMPLE ssf=0 65883a4c conn=1009 op=0 RESULT tag=97 err=0 text= 65883a4c conn=1009 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=)" 65883a4c conn=1009 op=1 SRCH attr=subschemaSubentry 65883a4c conn=1009 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 65883a4c conn=1009 op=2 SRCH base="cn=Subschema" scope=0 deref=0 filter="(objectClass=)" 65883a4c conn=1009 op=2 SRCH attr=objectClasses attributeTypes 65883a4c conn=1009 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 65883a4c conn=1009 op=3 SRCH base="" scope=0 deref=0 filter="(objectClass=)" 65883a4c conn=1009 op=3 SRCH attr=vendorName vendorVersion objectClass supportedLDAPVersion supportedControl supportedExtension supportedSASLMechanisms + forestFunctionality domainFunctionality rootDomainNamingContext namingContexts dsaName 65883a4c conn=1009 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= 65883a4c conn=1009 op=4 UNBIND 65883a4c conn=1009 fd=15 closed 65883a4d conn=1010 fd=15 ACCEPT from IP=10.11.66.51:6202 (IP=0.0.0.0:10389) 65883a4d conn=1010 op=0 BIND dn="cn=admin,dc=planetexpress,dc=com" method=128 65883a4d conn=1010 op=0 BIND dn="cn=admin,dc=planetexpress,dc=com" mech=SIMPLE ssf=0 65883a4d conn=1010 op=0 RESULT tag=97 err=0 text= 65883a4d conn=1010 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=)" 65883a4d conn=1010 op=1 SRCH attr=subschemaSubentry 65883a4d conn=1010 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 65883a4d conn=1010 op=2 SRCH base="cn=Subschema" scope=0 deref=0 filter="(objectClass=)" 65883a4d conn=1010 op=2 SRCH attr=objectClasses attributeTypes 65883a4d conn=1010 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 65883a4d conn=1010 op=3 SRCH base="" scope=0 deref=0 filter="(objectClass=)" 65883a4d conn=1010 op=3 SRCH attr=vendorName vendorVersion objectClass supportedLDAPVersion supportedControl supportedExtension supportedSASLMechanisms + forestFunctionality domainFunctionality rootDomainNamingContext namingContexts dsaName 65883a4d conn=1010 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= 65883a4d conn=1010 op=4 SRCH base="dc=planetexpress,dc=com" scope=2 deref=0 filter="(|(objectClass=organizationalUnit)(objectClass=organization)(objectClass=dcObject))" 65883a4d conn=1010 op=4 SRCH attr=uid objectClass cn displayName fullName givenName sn mail telephoneNumber numSubordinates userPrincipalName memberOf

Authentik LDAP logs:

{"bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","event":"authenticated from session","level":"info","logger":"authentik.outpost.ldap.binder.session","timestamp":"2023-12-24T14:06:11Z"} {"bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","client":"10.11.66.51","event":"Bind request","level":"info","requestId":"92411bfa-f89c-43bf-bda9-c50e775f99ea","timestamp":"2023-12-24T14:06:11Z","took-ms":0} {"attributes":["subschemaSubentry"],"baseDN":"","bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","client":"10.11.66.51","event":"Search request","filter":"(objectClass=)","level":"info","requestId":"840bbe59-9229-43a5-a352-21b97ee1fac7","scope":"Base Object","timestamp":"2023-12-24T14:06:11Z","took-ms":0} {"attributes":["objectClasses","attributeTypes"],"baseDN":"cn=subschema","bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","client":"10.11.66.51","event":"Search request","filter":"(objectClass=)","level":"info","requestId":"36b7ddd7-41fd-4fae-b341-6bb172f422d8","scope":"Base Object","timestamp":"2023-12-24T14:06:11Z","took-ms":0} {"attributes":["vendorName","vendorVersion","objectClass","supportedLDAPVersion","supportedControl","supportedExtension","supportedSASLMechanisms","+","forestFunctionality","domainFunctionality","rootDomainNamingContext","namingContexts","dsaName"],"baseDN":"","bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","client":"10.11.66.51","event":"Search request","filter":"(objectClass=)","level":"info","requestId":"cbff5a66-84ab-46aa-9153-f32fae769266","scope":"Base Object","timestamp":"2023-12-24T14:06:11Z","took-ms":0} {"bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","event":"authenticated from session","level":"info","logger":"authentik.outpost.ldap.binder.session","timestamp":"2023-12-24T14:06:11Z"} {"bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","client":"10.11.66.51","event":"Bind request","level":"info","requestId":"672c8312-1726-4ac5-9581-0fe0c68b9b0b","timestamp":"2023-12-24T14:06:11Z","took-ms":0} {"attributes":["subschemaSubentry"],"baseDN":"","bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","client":"10.11.66.51","event":"Search request","filter":"(objectClass=)","level":"info","requestId":"faa6f06e-e146-4a71-96e1-2119bdb13367","scope":"Base Object","timestamp":"2023-12-24T14:06:11Z","took-ms":0} {"attributes":["objectClasses","attributeTypes"],"baseDN":"cn=subschema","bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","client":"10.11.66.51","event":"Search request","filter":"(objectClass=)","level":"info","requestId":"1c561a67-2e7a-4c56-a7d3-d24c109b0c05","scope":"Base Object","timestamp":"2023-12-24T14:06:11Z","took-ms":0} {"attributes":["vendorName","vendorVersion","objectClass","supportedLDAPVersion","supportedControl","supportedExtension","supportedSASLMechanisms","+","forestFunctionality","domainFunctionality","rootDomainNamingContext","namingContexts","dsaName"],"baseDN":"","bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","client":"10.11.66.51","event":"Search request","filter":"(objectClass=)","level":"info","requestId":"a7f583be-b659-49c4-8df3-0f40f40c8e0a","scope":"Base Object","timestamp":"2023-12-24T14:06:11Z","took-ms":0} {"attributes":["uid","objectClass","cn","displayName","fullName","givenName","sn","mail","telephoneNumber","numSubordinates","userPrincipalName","memberOf"],"baseDN":"dc=goauthentik,dc=io","bindDN":"cn=ldapservice,ou=users,dc=goauthentik,dc=io","client":"10.11.66.51","event":"Search request","filter":"(objectClass=organizationalUnit)","level":"info","requestId":"eb2806f7-5049-48fb-ac80-a5c5490328dd","scope":"Whole Subtree","timestamp":"2023-12-24T14:06:11Z","took-ms":0}

Version and Deployment (please complete the following information):

Additional context Add any other context about the problem here.

SpitFireRSA commented 8 months ago

I have the exact same issue. After the LDAP provider not supporting the SAMBA schema, this is another disappointment. I hope I am not missing something obvious, but I have been up and down the documentation and have spent a lot of hours now to get this going.