Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
lmarinovic
Staff
Staff

Created on ‎07-13-2015 06:05 AM Edited on ‎10-28-2024 07:03 AM By Moderator

Article Id 190650

Technical Tip: How to configure LDAP services on FortiAuthenticator and integrate it to FortiGate for authentication

Description.

 

This article describes how to configure LDAP services on the FortiAuthenticator and shows how to integrate with a FortiGate.
This includes the FortiAuthenticator as well as the FortiGate configuration.


Scope.

 

FortiGate.

FortiAuthenticator.

Solution

 
Diagram.
Internet <----> FortiGate <----> FortiAuthenticator <---->(LAN)

FortiAuthenticator Configuration.
  1. Enable LDAP services on the interface connected to the FortiGate.
 
  • Go to Network -> Interfaces -> Access Rights -> Services, select check box for LDAP (TCP/389).

 

25.png

 

 

  1. Create Groups.

 

 

  • LDAP Administrator  Group.

Go to Authentication -> User Management -> User Groups -> Create New, create new group named: ‘ldap_admins’.

 

26.png

 

  • Create User groups.

Go to Authentication -> User Management -> User Groups -> Create New, create new group named: ‘testgrp’.

 

27.png

 

 

  1. Create users and add them under the respective groups created earlier.

 

 

  • Users.

     Go to Authentication -> User Management -> Local Users -> Create New.

 

      ldapadmin -> to the group ldap_admins.

      Add rights to the 'ldapadmin' user for LDAP browsing.

 

28.png

 

test1 -> to the group testgrp.

 

29.png

 

After configurations done:

 

  • Users:

 

30.png

 

  • Groups:

 

31.png

 

 

  1. Configure Directory Tree as shown below. Ensure that the LDAP Administrator is a part of LDAP tree. The LDAP admin and the users MUST be contained as object below the 'Distinguished name' (= baseDN) configuration on FortiGate. If the Admin or user are outside of the baseDN, the objects won't be found.

    Go to Authentication -> LDAP Service -> Directory Tree.


32.png

 

FortiGate Configuration.
  1. Configure LDAP services.
 
  • Go to User & Authentication -> LDAP Servers -> Create New.

Complete using:

FortiAuthenticator Interface IP: Server IP/Name.
FortiAuthenticator LDAP Interface Service Port, default 389.
Distinguished Name. Same name used in FortiAuthenticator LDAP Service -> Directory Tree.
Username and Password.
 
33.png

 

  1. Test Authentication from FortiGate CLI, with the command syntax as follows:

diagnose test authserver ldap <name of LDAP server configuration> <username> <password>
 
Example:

diagnose test authserver ldap LDAP ldapadmin admin$123
 
34.png

 

  1. FortiAuthenticator Logs.
 
Go to Logging -> Log Access -> Logs, select 'ldapadmin' authentication log:
 
35.png
  1. Create User Group.

Go to User & Device -> User -> User Groups, enter 'Name' and select 'Create New' under 'Remote groups', select the remote server created and select the required user group name.
36.png

 
  1. User group created on firewall in the last step can now be selected on the appropriate firewall authentication policy.
 
Related articles:

 

8964
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.