Skip to main content
sinamdar
Staff & Editor
sinamdar
Staff & Editor
June 23, 2010

Technical Tip: How to create administrators which can be authenticated by a LDAP Server

  • June 23, 2010
  • 0 replies
  • 37272 views

Description

 

This article describes how to create FortiGate admin users which can be authenticated by a LDAP server.


Scope


Access FortiGate WebGUI using LDAP users

Solution

 

Configuration Method:


To use an LDAP server to authenticate administrators in a VDOM, the authentication has to be configured before the administrator accounts are created.

 

  1.  Configure an LDAP server

 

For example:

 
Anthony_E_0-1694805299483.png
 
config user ldap
    edit "ldap"
        set server "10.40.9.78"
        set cnid "sAMAccountName"
        set dn "dc=dubailab,dc=lab"
        set type regular
        set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
        set password p@ssword
    end

If only a particular group of members are to be allowed to log in to FortiGate as administrators, a FortiGate group must be configured to limit access.

  1. Create an LDAP user group on Active Directory and FortiGate.

 

create_new_group_ad.png

 

create_new_group_ad_2.png

 

Right-click the new group, select 'Properties' and add users that will authenticate:

 

create_new_group_ad_3.png

 

 

Create group on Fortigate:

 

Stephen_G_0-1746717850992.png

 

config user group
    edit "salesgrp"
        set group-type firewall
        set authtimeout 0
        set auth-concurrent-override disable
        set http-digest-realm ''
        set member "ldap"
            config match
                edit 1
                    set server-name "ldap"
                    set group-name "CN=salesgrp,CN=Users,DC=dubailab,DC=lab"
                next
            end
        next
    end

 

 
  1. Configure an administrator to authenticate with an LDAP server.
 
Stephen_G_1-1746717901315.png

 

config system admin
    edit "ldap_admin"
        set remote-auth enable
        set accprofile "prof_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "salesgrp"
    next
end

The remainder of the parameters have to be left with the default values.

Note:
 
If 'wildcard' is not being enabled, it means that not all LDAP (AD) group members are being allowed.
In this case, it is necessary to configure the name with the same name that the user has on AD, with the password.
 
Special Note:
If the user is importing users from LDAP on FortiGate and creating a local group with these imported LDAP members, this Group will not appear while creating a wildcard administrator.
 
To verify, access the FortiGate WebGUI using the LDAP user 'sales'.
 
Stephen_G_2-1746718017203.png

 

Use the commands below to capture the debug output.

 

diagnose debug enable
diagnose debug application fnbamd -1
 
[59] ldap_dn_list_del_all-Del CN=sales,OU=new2,DC=dubailab,DC=lab
[3141] fnbamd_ldap_result-Result for ldap svr 10.40.9.78 is SUCCESS
[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=dubailab,DC=lab
[3152] fnbamd_ldap_result-Passed group matching
[1047] find_matched_usr_grps-Group 'salesgrp' passed group matching
[1048] find_matched_usr_grps-Add matched group 'salesgrp'(2)
[2887] fnbamd_fas_send_push-username:sales, vdom:root, usertype:0, tfc=0, auth_type:16

 

[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 295304432
[724] destroy_auth_session-delete session 295304432
[59] ldap_dn_list_del_all-Del CN=salesgrp,CN=Users,DC=dubailab,DC=lab
[59] ldap_dn_list_del_all-Del CN=Domain Users,CN=Users,DC=dubailab,DC=lab
 
Related document:
    Terms & ConditionsAccessibility statement