Skip to main content
lmarinovic
Staff
lmarinovic
Staff
July 13, 2015

Technical Tip: How to configure LDAP services on FortiAuthenticator and integrate it to FortiGate for authentication

  • July 13, 2015
  • 0 replies
  • 11486 views

Description

 

This article describes how to configure LDAP services on the FortiAuthenticator and shows how to integrate with a FortiGate.
This includes the FortiAuthenticator as well as the FortiGate configuration.


Scope

 

FortiGate.

FortiAuthenticator.

Solution

 
Diagram.
Internet <----> FortiGate <----> FortiAuthenticator <---->(LAN).

FortiAuthenticator Configuration.
  1. Enable LDAP services on the interface connected to the FortiGate.

Go to Network -> Interfaces -> Access Rights -> Services, select the check box for LDAP (TCP/389).

 

25.png

 

  1. Create Groups.
  • LDAP Administrator  Group.

Go to Authentication -> User Management -> User Groups -> Create New, create a new group named: â€˜ldap_admins’.

 

26.png

 

  • Create User groups.

Go to Authentication -> User Management -> User Groups -> Create New, create a new group named: â€˜testgrp’.

 

27.png

 

  1. Create users and add them to the respective groups created earlier.
  • Users.

Go to Authentication -> User Management -> Local Users -> Create New.

ldapadmin -> to the group ldap_admins.

Add rights to the 'ldapadmin' user for LDAP browsing.

 

28.png

 

test1 -> To the group testgrp.

 

29.png

 

After configurations are done:

 

  • Users:

 

30.png

 

  • Groups:

 

31.png

 

  1. Configure the directory Tree as shown below. Ensure that the LDAP Administrator is a part of the LDAP tree. The LDAP admin and the users must be contained as objects below the 'Distinguished name' (= baseDN) configuration on FortiGate. If the Admin or user is outside of the baseDN, the objects will not be found.

Go to Authentication -> LDAP Service -> Directory Tree.

 

32.png

 

FortiGate Configuration.
  1. Configure LDAP services.
  • Go to User & Authentication -> LDAP Servers -> Create New.

Complete using:

FortiAuthenticator Interface IP: Server IP/Name.
FortiAuthenticator LDAP Interface Service Port, default 389.
Distinguished Name. Same name used in FortiAuthenticator LDAP Service -> Directory Tree.
Username and Password.
 
33.png

 

  1. Test Authentication from FortiGate CLI, with the command syntax as follows:

diagnose test authserver ldap <name of LDAP server configuration> <username> <password>
 
Example:

diagnose test authserver ldap LDAP ldapadmin admin$123
 
34.png

 

  1. FortiAuthenticator Logs.
 
Go to Logging -> Log Access -> Logs, select 'ldapadmin' authentication log:
 
35.png
  1. Create User Group.
Go to User & Device -> User -> User Groups, enter 'Name' and select 'Create New' under 'Remote groups', select the remote server created, and select the required user group name.
36.png

 

 

  1. The user group created on the firewall in the last step can now be selected on the appropriate firewall authentication policy.

Verify the fnbamd debugs by running the following commands in FortiGate:

 

diagnose debug console timestamp enable

diagnose debug application fnbamd -1

diagnose debug enable 

 

Debug output example:

 

2025-09-11 13:40:08 [1982] ldap_copy_grp_list-copied cn=ldap_admins,dc=example,dc=com
2025-09-11 13:40:08 [195] find_matched_usr_grps-Skipped group matching
2025-09-11 13:40:08 [2553] fnbamd_ldap_result-Result for ldap svr LDAP is SUCCESS
2025-09-11 13:40:08 [2564] fnbamd_ldap_result-Skipping group matching
2025-09-11 13:40:08 [909] update_auth_token_session-config does not require 2fa
2025-09-11 13:40:08 [239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 120598576119810, len=2629  <- 0 means an authentication success; 1 means a failed authentication.
2025-09-11 13:40:08 [600] destroy_auth_session-delete session 120598576119810

 

To get detailed LDAP logs in FortiAuthenticator, navigate to https://<Fortiauthenticator_ip or fqdn>/debug and then select Other -> LDAP.

 
Related documents:
    Terms & ConditionsAccessibility statement