diff --git a/samples/production-v1.2-noRedis.env.sample b/samples/production-v1.2-noRedis.env.sample index 5b14fec..237bc61 100644 --- a/samples/production-v1.2-noRedis.env.sample +++ b/samples/production-v1.2-noRedis.env.sample @@ -269,48 +269,43 @@ CustomerConfigs__0__FortigateBehaviour__FailAuthIfGroupUnknown=false # CustomerConfigs__2__* # etc. -******************************************************************************************** -OPTIONAL: FortigateBehaviour -******************************************************************************************** - -... -"FortigateBehaviour": { - "VendorSpecificAttributeTriggerValue": "root", - "UserGroupSearchFilter": "(&(objectClass=groupOfNames)({0}))", - "FortinetLdapUserGroupMap": [ - { - "ForitnetGroupName": "gu-rad_msrl_sslvpn1", - "LdapGroupDn": "ldap-group-dn-admin" - }, - { - "ForitnetGroupName": "gu-rad_msrl_sslvpn2", - "LdapGroupDn": "ldap-group-dn-user" - } - ], - "FortinetAccessProfile": "none", - "DefaultFortinetGroupName": "no-group-found", - "FailAuthIfGroupUnknown": false -} -... - -The FortigateBehaviour's JSON section in the above example is OPTIONAL. -- Enabling/disabling the feature: The described behaviour is implicitly activated if the attribute "Fortinet-Vdom-Name = root" (via Vendor-Specific Attributes) is set in the Access-Request Packet -- Procedure with activated Fortigate behaviour: - - After reading out the user from LDAP, additionally read out all user groups by means of "UserGroupSearchFilter" (Config) - - Match the user groups against "FortinetLdapUserGroupMap" (Config) and read out the mapped Fortigate group. The FIRST matching group is taken! - - The following cases are then distinguished in the radius response: - - Fortigate group found: Enrich Access-Accept with the following (Vendor-Specific) attributes: - => Fortinet-Vdom-Name = "root" (taken from Access-Request) - => Fortinet-Group-Name = {{ matching Fortigate group }} - => Fortinet-Access-Profile = {{ "FortinetAccessProfile" (Config) }} - - Fortigate group not found: - -> If "FailAuthIfGroupUnknown = true": Access-Reject with corresponding error - -> If "FailAuthIfGroupUnknown = false": Enrich Access-Accept with the following attributes: - => Fortinet-Vdom-Name = "root" (taken from Access-Request) - => Fortinet-Group-Name = {{ "DefaultFortinetGroupName" (Config) }}" - => Fortinet Access Profile = {{ "FortinetAccessProfile" (Config) }}" - -Additional Infos: -- https://www.rfc-editor.org/rfc/rfc2865#section-5.26 -- Possible query to get all user groups: (&(objectCategory=group){0}) -- https://www.fortinetguru.com/2016/06/authentication-servers/4/ \ No newline at end of file +############################################################################################ +# OPTIONAL: FortigateBehaviour +############################################################################################ +# +# ... +# "FortigateBehaviour": { +# "VendorSpecificAttributeTriggerValue": "root", +# "UserGroupSearchFilter": "(&(objectClass=groupOfNames)({0}))", +# "FortinetLdapUserGroupMap": [ +# { +# "ForitnetGroupName": "gu-rad_msrl_sslvpn1", +# "LdapGroupDn": "ldap-group-dn-admin" +# }, +# { +# "ForitnetGroupName": "gu-rad_msrl_sslvpn2", +# "LdapGroupDn": "ldap-group-dn-user" +# } +# ], +# "FortinetAccessProfile": "none", +# "DefaultFortinetGroupName": "no-group-found", +# "FailAuthIfGroupUnknown": false +# } +# ... + +# The FortigateBehaviour's JSON section in the above example is OPTIONAL. +# - Enabling/disabling the feature: The described behaviour is implicitly activated if the attribute "Fortinet-Vdom-Name = root" (via Vendor-Specific Attributes) is set in the Access-Request Packet +# - Procedure with activated Fortigate behaviour: +# - After reading out the user from LDAP, additionally read out all user groups by means of "UserGroupSearchFilter" (Config) +# - Match the user groups against "FortinetLdapUserGroupMap" (Config) and read out the mapped Fortigate group. The FIRST matching group is taken! +# - The following cases are then distinguished in the radius response: +# - Fortigate group found: Enrich Access-Accept with the following (Vendor-Specific) attributes: +# => Fortinet-Vdom-Name = "root" (taken from Access-Request) +# => Fortinet-Group-Name = {{ matching Fortigate group }} +# => Fortinet-Access-Profile = {{ "FortinetAccessProfile" (Config) }} +# - Fortigate group not found: +# -> If "FailAuthIfGroupUnknown = true": Access-Reject with corresponding error +# -> If "FailAuthIfGroupUnknown = false": Enrich Access-Accept with the following attributes: +# => Fortinet-Vdom-Name = "root" (taken from Access-Request) +# => Fortinet-Group-Name = {{ "DefaultFortinetGroupName" (Config) }}" +# => Fortinet Access Profile = {{ "FortinetAccessProfile" (Config) }}"