Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎02-05-2023 10:29 PM Edited on ‎08-04-2023 02:02 AM By Moderator

Article Id 244848

Technical Tip: Google Suite LDAP integration with FortiGate using LDAPS with certificate authentication

Description

 

This article describes how to configure Google secure LDAPS in FortiGate using certificate authentication.

 

Scope

 

FortiGate7.2.0+.


Supported Google Suite plans:
Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus.

 

Solution

 

Some LDAP servers require a client certificate to perform peer verification instead of password authentication. Google LDAPS is one example of such a configuration.

Starting with FortiOS 7.2.0, client certificate authentication can be configured when FortiGate is acting as an LDAP client.

 

Related document:

Configuring client certificate authentication on the LDAP server 

 

Below is an example of Google Suite LDAPS integration.

 

  1. To create an LDAP Client in Google Suite, navigate to Apps -> LDAP, select 'Add LDAP Client', and define the LDAP client name and description. Select 'Continue'.

 

CarlosColombini_0-1675633902491.png

 

  1. Define access permission to specific groups, OUs, or the entire domain. Select 'Add LDAP Client'.

 

CarlosColombini_1-1675634157130.png

 

  1. Download the certificate so it can be imported to FortiGate later.

 

CarlosColombini_2-1675634296683.png

 

  1. After being returned to the LDAP Client details, select 'Service status' and turn it on.

 

CarlosColombini_3-1675634442475.png

 

  1. Extract the compressed file downloaded from step 3. It should contain the certificate and key files.

    To import the certificate to FortiGate, navigate to System -> Certificates, then select Create/Import -> Certificate and choose the 'Import Certificate' method.

 

CarlosColombini_4-1675635001425.png

 

  1. Select 'Certificate' and browse to the certificate and key files. Define a certificate name and select 'Create'.
    Note: Leave the password fields empty.

 

CarlosColombini_6-1675635209362.png

 

  1. Create an LDAP server entry.

 

CarlosColombini_7-1675635451408.png

 

Note:
A Distinguished Name should contain the OU 'users' and any other OU in the path to where users are located. If the DN is incorrect, the following error message will be displayed:

 

CarlosColombini_10-1675636359497.png

 

 

  1. Edit configuration from the CLI and enable the certificate authentication option.

 

CarlosColombini_8-1675635529369.png


CLI Configuration:

 

config user ldap

    edit "GoogleLDAPS"

        set server "ldap.google.com"

        set server-identity-check disable

        set cnid "uid"

        set dn "ou=users,dc=colombas,dc=me"

        set secure ldaps

        set port 636

        set client-cert-auth enable

        set client-cert "GoogleLDAPS"

    next

end

 

Troubleshooting and verification:

 

  1. Debug logs can be enabled for the authentication daemon.

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug enable

 

  1. Connectivity and User Credentials tests can be run from the GUI and CLI.

    GUI Connectivity test and User Credentials test:

 

CarlosColombini_9-1675636218260.png

 

CLI Connectivity test:

 

diagnose test authserver ldap-direct ldap.google.com

 

CLI User Credentials test:

 

diagnose test authserver ldap <server_name> <username> <password>

4064
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.