Failed LDAP login without "Domain users"

omerm · September 17, 2024, 6:21am

Hey, when I create an LDAP user with 'Domain users" as its primary group and I add the RADIUS group for the SSL VPN authentication using PrivacyIDEA, everything works fine.

But when I create a user with only the RADIUS group, without the Domain users group, the authentication fails, it’s also the case if I create a user first with Domain users and RADIUS group, and only then removing the Domain users group from the user, then the authentication breaks and fails.

Our goal is to have the user a part of only the RADIUS group, instead of Domain users group, is there an option anywhere to do that? Is it known behaviour?

omerm · September 17, 2024, 9:43am

Update, the issue seems to be related to the primary group set on the user in the AD.

When the RADIUS group is the primary group of the user (that’s the case when it’s the only group the user is a part of), then the auth fails, because I assume the RADIUS group isn’t sent back to the Fortigate SSL VPN.

And when it’s not the primary group, the auth succeeds.

Is there any option to make the PrivacyIDEA not care if it’s the primary group or secondary? And forward the Fortinet RADIUS group at all times, if present?