Description
This article describes the steps to configure the LDAP server in FortiGate and how to map LDAP users/groups to Firewall policies.
End users can then see a firewall popup on the browser that will ask for authentication prior to using the service.
Note that such a policy will also not allow DNS queries if the user is not authenticated.
End users must have some way of resolving the destination address that would match this policy.
If DNS does not work, the users will not be able to authenticate as the HTTP connection to the destination cannot be made.
Scope
FortiGate.
Solution
To configure the FortiGate unit for LDAP authentication – Using GUI:
Go to User & Device -> Authentication -> LDAP Servers and select Create New.
For new Firmware 7.0 & above the path would be:
- Go to User & Authentication -> LDAP Servers and select Create New.
-
Enter a Name for the LDAP server.
-
In Server Name/IP enter the server’s FQDN or IP address.
-
If necessary, change the Server Port number. The default is port 389.
-
Enter the Common Name Identifier (20 characters maximum).
cn is the default, and most of the customers will be using sAMAccountName ( see 'Common Name Identifier' configured as 'sAMAccountName' ).
- CN stands for Common Name which is an attribute name in LDAP.
- sAMAccountName is another LDAP attribute and can reference the login name (about the Windows LDAP server).
Make sure to get the info on which attributes the end users are using against the LDAP server as the values of the attributes can look different, for example, 'usert' vs. 'TestUser'.
- For a Distinguished name, select browse and select the main domain (Select the domain once the Username and Password are entered as per steps 8 and 9).
- In Bind Type, select Regular.
- In the Username field, enter the LDAP administrator's account name along with the domain (Ref. Screenshot below). In some cases, the domain\username format may not work. Use the distinguishedName from the domain controller.
Copy the distinguishedName value from the Windows Domain Controller by opening Active Directory Users and Computers, then selecting the View menu and Advanced Features. After, locate and 'right-click' the desired credentials and select Properties. Next, select the Attribute Editor tab and copy the value of distinguishedName. - In the Password field, enter the LDAP administrator's account password.
- Select OK.
For the CLI:
config user ldap
edit LDAP
set server "172.16.16.100"
set cnid "cn"
set dn "dc=tac,dc=local"
set username TAC_Administartor
set password xxxxx
set port 389
next
end
edit LDAP
set server "172.16.16.100"
set cnid "cn"
set dn "dc=tac,dc=local"
set username TAC_Administartor
set password xxxxx
set port 389
next
end
To import users from the LDAP directory, follow the steps below in the GUI:
Go to User & Devices -> User Definition -> Create New.
For new Firmware 7.0 and above, the path would be:
- Go to User & Authentication -> User Definition and select Create New.
-
On 'User Type', choose 'Remote LDAP user' and select 'Next'.
-
On 'LDAP Server', select the LDAP server name and select 'Next'.
-
Select the User. 'Right-click', select + Add Selected, and select 'Submit'.
Imported Remote LDAP user: -
Once Users/Groups are imported, use them in a firewall policy.
Users that have been imported from the LDAP server, can be used to enforce user-based policies as permission sets and allow VPN connections, depending on the usage requirements.
Note: LDAP authentication supports HTTP, HTTPS, FTP, and Telnet Protocols only.
To integrate the Novell eDirectory with the FortiGate, the 'member-attr' setting must be enabled for the LDAP settings (see configuration details LDAP-Server-Settings-to-Support-Novell-eDirectory).
Related document:
