Skip to main content
Somashekara_Hanumant
Staff & Editor
Somashekara_Hanumant
Staff & Editor
July 7, 2020

Technical Tip: LDAP authentication on FortiProxy

  • July 7, 2020
  • 1 reply
  • 8043 views

Description


This article describes how to configure LDAP server and authentication scheme.

LDAP User authentication in Explicit-Proxy mode.

  • Configure the LDAP server.
  • Configure Authentication Scheme/rules and proxy auth settings.
  • Configure firewall policies with LDAP authentication by selecting the explicit mode.
  • Enabling proxy settings on the workstation and test the authentication.

 

Scope

 

FortiProxy

Solution

 

Configuring LDAP server.



 
config user ldap
    edit "Proxy-AD"
        set server "10.40.9.78"
        set cnid "sAMAccountName"
        set dn "dc=dubailab,dc=lab"
        set type regular
        set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
        set password xxxxxx
    next
end
 
Configure Authentication Scheme.
 

 
config authentication scheme
    edit "ldap-scheme"       
        set method basic       
        set user-database "Proxy-AD"   
    next
end
 
Configuring Authentication Rule.
 
 
For testing purposes source address is added as 10.40.9.42/32, LDAP users can authenticate from this IP address only.
 
config firewall address
    edit "9-42"
        set subnet 10.40.9.42 255.255.255.255
    next
end

config authentication rule
    edit "ldap_rule"
        set srcintf "port2"
        set srcaddr "9-42"
        set dstaddr "all"
        set active-auth-method "ldap-scheme"
    next
end
 
Configure Proxy Authentication Settings.
 
 
config authentication setting
    set active-auth-scheme "ldap-scheme"
end
 
Configure firewall policies with LDAP authentication by selecting the explicit mode.
 
 

 
config firewall policy
    edit 1
        set type explicit-web
        set explicit-web-proxy "web-proxy"
        set dstintf "port1"
        set srcaddr "9-42"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set groups "ldap-sslvpn"
        set utm-status enable
    next
end
 
Configuring User browser and validation.
 
  
User authentication.

Once the user is authenticated, the user under FortiView -> User can be seen.
 

 

Note:

Only  HTTP, HTTPS, FTP, and Telnet protocols are supported by LDAP.

 

Troubleshooting:

Useful debug command:

       

diagnose wad filter src <source IP>

diagnose wad debug enable category auth

diagnose wad debug enable category policy

diagnose wad debug enable level verbose

diagnose debug application fnbamd -1

diagnose debug enable

 

To disable debug:

 

diagnose debug disable

diagnose debug reset

 

Then, run the below command on FortiProxy to verify whether user authentication working correctly with the LDAP server or not.


diagnose test authserver ldap <server_name> <username> <password>

 

Related document:

Configuring an LDAP server

    1 reply

    crao
    Staff
    crao
    Staff
    November 13, 2025

    Thanks for sharing.

    Terms & ConditionsAccessibility statement