Description
This article describes how to configure LDAP services on the FortiAuthenticator and shows how to integrate with a FortiGate.
This includes the FortiAuthenticator as well as the FortiGate configuration.
This includes the FortiAuthenticator as well as the FortiGate configuration.
Scope
FortiGate.
FortiAuthenticator.
Solution
Diagram.
FortiAuthenticator Configuration.
Internet <----> FortiGate <----> FortiAuthenticator <---->(LAN).
FortiAuthenticator Configuration.
- Enable LDAP services on the interface connected to the FortiGate.
Go to Network -> Interfaces -> Access Rights -> Services, select the check box for LDAP (TCP/389).
- Create Groups.
- LDAP Administrator Group.
Go to Authentication -> User Management -> User Groups -> Create New, create a new group named: ‘ldap_admins’.
- Create User groups.
Go to Authentication -> User Management -> User Groups -> Create New, create a new group named: ‘testgrp’.
- Create users and add them to the respective groups created earlier.
- Users.
Go to Authentication -> User Management -> Local Users -> Create New.
ldapadmin -> to the group ldap_admins.
Add rights to the 'ldapadmin' user for LDAP browsing.
test1 -> To the group testgrp.
After configurations are done:
- Users:
- Groups:
- Configure the directory Tree as shown below. Ensure that the LDAP Administrator is a part of the LDAP tree. The LDAP admin and the users must be contained as objects below the 'Distinguished name' (= baseDN) configuration on FortiGate. If the Admin or user is outside of the baseDN, the objects will not be found.
Go to Authentication -> LDAP Service -> Directory Tree.
FortiGate Configuration.
- Configure LDAP services.
- Go to User & Authentication -> LDAP Servers -> Create New.
Complete using:
FortiAuthenticator Interface IP: Server IP/Name.
FortiAuthenticator LDAP Interface Service Port, default 389.
Distinguished Name. Same name used in FortiAuthenticator LDAP Service -> Directory Tree.
Username and Password.
- Test Authentication from FortiGate CLI, with the command syntax as follows:
diagnose test authserver ldap <name of LDAP server configuration> <username> <password>
Example:
diagnose test authserver ldap LDAP ldapadmin admin$123
- FortiAuthenticator Logs.
Go to Logging -> Log Access -> Logs, select 'ldapadmin' authentication log:
- Create User Group.
Go to User & Device -> User -> User Groups, enter 'Name' and select 'Create New' under 'Remote groups', select the remote server created, and select the required user group name.
- The user group created on the firewall in the last step can now be selected on the appropriate firewall authentication policy.
Verify the fnbamd debugs by running the following commands in FortiGate:
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug enable
Debug output example:
2025-09-11 13:40:08 [1982] ldap_copy_grp_list-copied cn=ldap_admins,dc=example,dc=com
2025-09-11 13:40:08 [195] find_matched_usr_grps-Skipped group matching
2025-09-11 13:40:08 [2553] fnbamd_ldap_result-Result for ldap svr LDAP is SUCCESS
2025-09-11 13:40:08 [2564] fnbamd_ldap_result-Skipping group matching
2025-09-11 13:40:08 [909] update_auth_token_session-config does not require 2fa
2025-09-11 13:40:08 [239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 120598576119810, len=2629 <- 0 means an authentication success; 1 means a failed authentication.
2025-09-11 13:40:08 [600] destroy_auth_session-delete session 120598576119810
To get detailed LDAP logs in FortiAuthenticator, navigate to https://<Fortiauthenticator_ip or fqdn>/debug and then select Other -> LDAP.
Related documents:
