Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahv
Staff
Staff

Created on ‎09-18-2019 06:20 AM Edited on ‎02-25-2025 08:58 AM By Moderator

Article Id 196141

Technical Tip: How to configure FortiGate to use an LDAP server

Description


This article describes the steps to configure the LDAP server in FortiGate and how to map LDAP users/groups to Firewall policies.

End users can then see a firewall popup on the browser that will ask for authentication prior to using the service.

 

Note that such a policy will also not allow DNS queries if the user is not authenticated.

End users must have some way of resolving the destination address that would match this policy.

If DNS does not work, the users will not be able to authenticate as the HTTP connection to the destination cannot be made.

 

Scope


FortiGate.


Solution

 

To configure the FortiGate unit for LDAP authentication – Using GUI:

 

Go to User & Device -> Authentication -> LDAP Servers and select Create New.

 

For new Firmware 7.0 & above the path would be:

 

  1. Go to User & Authentication -> LDAP Servers and select Create New.

 

38.png

 

  1. Enter a Name for the LDAP server.

  2. In Server Name/IP enter the server’s FQDN or IP address.

  3. If necessary, change the Server Port number. The default is port 389.

  4. Enter the Common Name Identifier (20 characters maximum).

     

    cn is the default, and most of the customers will be using sAMAccountName ( see 'Common Name Identifier' configured as 'sAMAccountName' ).

    • CN stands for Common Name which is an attribute name in LDAP.
    • sAMAccountName is another LDAP attribute and can reference the login name (about the Windows LDAP server).

    Make sure to get the info on which attributes the end users are using against the LDAP server as the values of the attributes can look different, for example, 'usert' vs. 'TestUser'.

  5. For a Distinguished name, select browse and select the main domain (Select the domain once the Username and Password are entered as per steps 8 and 9).

  6. In Bind Type, select Regular.

  7. In the Username field, enter the LDAP administrator's account name along with the domain (Ref. Screenshot below). In some cases, the domain\username format may not work. Use the distinguishedName from the domain controller.

    Copy the distinguishedName value from the Windows Domain Controller by opening Active Directory Users and Computers, then selecting the View menu and Advanced Features. After, locate and 'right-click' the desired credentials and select Properties. Next, select the Attribute Editor tab and copy the value of distinguishedName.

  8. In the Password field, enter the LDAP administrator's account password.

  9. Select OK.

 

37.png

 

 
For the CLI:
 
config user ldap
    edit LDAP
        set server "172.16.16.100"
        set cnid "cn"
        set dn "dc=tac,dc=local"
        set username TAC_Administartor
        set password xxxxx
        set port 389
    next
end
 
To import users from the LDAP directory, follow the steps below in the GUI:
 
Go to User & Devices -> User Definition -> Create New.
 
For new Firmware 7.0 and above, the path would be:
 
  1. Go to User & Authentication ->  User Definition and select Create New.

 

39.png

 

  1. On 'User Type', choose 'Remote LDAP user' and select 'Next'.

     

    40.png

  2. On 'LDAP Server', select the LDAP server name and select 'Next'.

    41.png

  3. Select the User. 'Right-click', select + Add Selected, and select 'Submit'. 

    42.png
    Imported Remote LDAP user:

  4. Once Users/Groups are imported, use them in a firewall policy.
                                                               

43.png

44.png

 

Users that have been imported from the LDAP server, can be used to enforce user-based policies as permission sets and allow VPN connections, depending on the usage requirements.
 
Note: LDAP authentication supports HTTP, HTTPS, FTP, and Telnet Protocols only.
 
To integrate the Novell eDirectory with the FortiGate, the 'member-attr' setting must be enabled for the LDAP settings (see configuration details LDAP-Server-Settings-to-Support-Novell-eDirectory).
 
Related document:

224059
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.