Technical Tip: Configuring LDAP system administrators in FortiManager for FortiGate login

Description

This article describes how to configure LDAP system administrators in FortiManager for FortiGate.

Scope

FortiManager, FortiGate.

Solution

1. Enter the specific ADOM created for the FortiGate device. Go to Policy & Objects -> Object Configurations -> User & Device -> LDAP Servers. Make sure that the LDAP server is correctly configured:
   
   

2. Go to User & Device -> User Groups to create a new user group. Give it a name with 'Firewall' as the type, and add the Remote Authentication Servers pointing to the LDAP server that was added in step 1:
   
   

   
    
   Select Create New to add the new Remote Authentication Server. 'Right-click' on the group to add it to the selection and select OK:
    
   
   
3. Go to Device Manager -> Managed Devices. 'Right-click' on the managed device and select Refresh Device:
    
   
    
4. Select Install Wizard to push new user groups and the LDAP server to the FortiGate. Select Install Policy Package & Device Settings, then select Policy Package:
    
   
    
5. Select Policy Package Diff to check if the new user group and LDAP server configuration are being pushed to the device:
   
    
   
    
   
    
   Select Install to continue:
    
   
    
6. Once the device is refreshed, select the device on the bottom left panel and select Display Options. Select Administrators and confirm the selection with OK:
    
   
    
7. Hover the cursor over System: Dashboard and select Administrators:
    
   
    
8. Select Create New to add a new administrator. Provide an administrator name, choose the 'Match all users on remote server group' type, select Admin profile, and select the Remote User Group that was created earlier:
    
   
    
9. Select Install Wizard to install the latest configuration on the FortiGate:

Troubleshooting.

The following diagnostic commands can be used for live debugging while reproducing the login issue:

The debug commands have to be enabled on FortiGate if the login fails when an administrator tries to log in to FortiGate 

diagnose debug application fnbamd 255  <- Up to version 6.4.2.

diagnose debug application authd 255   -> From version 6.4.3.

diagnose debug console timestamp enable

diagnose debug enable 

Once the logs are collected, it is recommended to disable logging and reset the debugs enabled:

diagnose debug disable

diagnose debug reset

Note:

It is important to allow communication between FortiManager and the LDAP server.
When creating the User Group and selecting the 'Remote Authentication Server', FortiManager probes a TCP SYN packet using port 389 or 636 to the LDAP.

If communication is not allowed and the TCP 3-way Handshake cannot be established, there is no way to talk to LDAP and configure the User Group.

Related articles:

• Troubleshoot Tip: LDAP authentication for FortiManager/FortiAnalyzer
• Technical Tip: Configuring LDAPS on FortiManager and FortiAnalyzer