Technical Tip: How to bind LDAP Server with least privileges LDAP service account in FortiGate

Description

The article describes how to bind an LDAP server with a s least privileged LDAP service account in FortiGate.

Scope

FortiGate.

Solution

It is not recommended to use a domain administrator account for LDAP binding. Create a different user account with minimal privileges that can be used to LDAP Regular Bind instead.

In Active Directory, create a user account with the following parameters :

• The user cannot change the password.

• The password never expires.

To add the machines, 'right-click' the container under Active Directory Users and Computers and then navigate Delegate Control.

It launches the Delegation of Control Wizard.

Select 'Next', select 'Add', insert the previously created user 'service account' account, and select 'Next'.

Select Create a custom task to delegate, then select 'Next'. 

Select Only the following objects in the folder, select Computer objects, select 'Create selected objects' in this folder and select 'Next' .

Under Permissions, select Create All Child Objects, Write All Properties, and Change Password, select 'Next' and select 'Finish'.

In FortiGate, Navigate under User & Authentication -> LDAP Servers and select 'Create New': 

Configure the following: 

Select bind type as Regular and fill the fields of Username with the newly created service account and password.  After filling out the required fields, do Test connectivity.

The connection status must be displayed as Successful for the successful LDAP Server bind.