Technical Tip: Manage FortiGate with user of LDAP server
Description
This article describes how to manage the FortiGate with LDAP server user, instead of creating a local user.
Scope
Solution
1) Create a LDAP server profile.
3) Create a local group and associate the LDAP Group.
This article describes how to manage the FortiGate with LDAP server user, instead of creating a local user.
Scope
Solution
1) Create a LDAP server profile.
# config user ldap2) Identify the group membership of the user in the LDAP server, in this example the user is Prueba1:
edit "LdapServer"
set server "192.168.100.3"
set cnid "cn"
set dn "dc=markoz,dc=com,dc=mx"
set type regular
set username "CN=Administrator, CN=users, DC=markoz,DC=com,DC=mx"
set password ENC ...
next
end
# diagnose test authserver ldap LdapServer Prueba1 Prueba3#
authenticate 'Prueba1' against 'LdapServer' succeeded!
Group membership(s) - CN=Finanzas,CN=Users,DC=markoz,DC=com,DC=mx <----- Finanzas.
CN=Domain Users,CN=Users,DC=markoz,DC=com,DC=mx
3) Create a local group and associate the LDAP Group.
# config user group4) Create an admin-user and associate it to the Group Local.
edit 'LDAP-Authentication'
set member 'LdapServer'
config match
edit 1
set server-name 'LdapServer'
set group-name 'CN=Finanzas,CN=Users,DC=markoz,DC=com,DC=mx <----- Finanzas.
next
end
next
end
# config system admin5) Authenticate into the FortiGate with the user and password of the LDAP server Group.
edit "UserLDAP"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set wildcard enable
set remote-group "LDAP-Authentication"
next
end
# get system admin list
username local device vdom profile remote started
admin ssh internal:192.168.1.91:22 root super_admin 192.168.1.111:59804 2016-07-08 16:09:18
Prueba1 https internal:192.168.1.91:9002 root super_admin 192.168.1.111:59827 2016-07-08 16:14:12
Prueba1 ssh internal:192.168.1.91:22 root super_admin 192.168.1.111:59869 2016-07-08 16:15:55