Technical Tip: Use an Active Directory Global Catalog server for LDAP configurations in FortiGate, FortiProxy, and FortiAuthenticator

In order to create a single LDAP entry for the root domain and to take advantage of the benefit of Global Catalog to query and search objects 

from other child domains in the same Active Directory Forest, it is possible to configure Fortinet products to use Global Catalog port 3268 or 3269 (Secure) to communicate with domain controllers.

The Global Catalog server primarily provides a distributed directory service that contains a partial replica of all domain directory partitions in the forest. It is used to support forest-wide searches and queries.

In this example, a Root domain and a child domain have been created in a single forest.

Root Domain: Root.Local

Child Domain: Child.Root.Local

Root Domain Controller Name: DC01.root.local
Child Domain Controller Name: CHILD-DC.child.root.local

Note: Ensure DNS is configured properly, as authentication is highly dependent on name resolution.

Root Domain:

Child Domain:

Logon to FortiAuthenticator and expand Authentication -> Remote Auth. Servers -> LDAP.

• Enter the required information e.g. Name, Primary Server/IP and Port, Base distinguish Name and Username & Password. Optionally, add secondary server details (if available).
• By default, the LDAP port number 389 will be selected. Select browse to check and test that communication is working as intended with the LDAP server.

• This shows that communication is working fine, as only the OUs structure of Root Domain (Root.Local) are seen, while the information is about the Child domain. Select OK to go back and change the port to 3268, then select browse to see the OU structure of the Child domain (Child.Root.Local).

• It is possible to view the LDAP structure from the child domain even though the Based distinguish Name is set to 'dc=root,dc=local.'
• The users or groups from the child domain can be imported, and the Fortiauthenticator policies can be used (such as two factor authentication, portal access, certificates, etc.).

Alternatively, select users:

Select OK to import users.

• This user object can now be used in FortiAuthenticator configurations and policies.
• Next, consider how to connect the FortiGate firewall to the Global Catalog server:

CLI configuration:

Despite having configured DN 'dc=root,dc=local,' it is still possible to authenticate users through the child domain 'child.root.local.'

LDAP users and groups can now be created in FortiGate from Child domains and used with multiple policies.

In FortiGate, it is possible to do the same with LDAP groups:

Note:It is also possible to configure FortiGate, FortiAuthenticator, FortiProxy, and other Fortinet products to use Secure Global Catalog LDAPS port 3269 if the PKI infrastructure is already in place and the required certificates are installed and trusted by the Fortinet Products. It is possible to use an Internal CA or public CA for the LDAPS (3269) port

For details about how a Global Catalog server works, see the Microsoft documentation.

Related articles:

• Configuring LDAP on the FortiAuthenticator - FortiAuthenticator cookbook.
• Technical Tip: LDAPS with FortiAuthenticator.
• Technical Tip: How to configure FortiGate to use an LDAP server.
• Technical Tip: Configuring LDAP over SSL / LDAPS.