Description
This article describes the steps to configure the LDAP server in FortiGate and how to map LDAP users/groups to Firewall policies.
End users can then see a firewall popup on the browser that will ask for authentication prior to using the service.
Note that such a policy will also not allow DNS queries if the user is not authenticated.
End users must have some way of resolving the destination address that would match this policy.
If DNS does not work, the users will not be able to authenticate as the HTTP connection to the destination cannot be made.
Scope
FortiGate.
Solution
To configure the FortiGate unit for LDAP authentication – Using GUI:
Go to User & Device -> Authentication -> LDAP Servers and select Create New.
For new Firmware 7.0 & above the path would be:
Enter a Name for the LDAP server.
In Server Name/IP enter the server’s FQDN or IP address.
If necessary, change the Server Port number. The default is port 389.
Enter the Common Name Identifier (20 characters maximum).
cn is the default, and most of the customers will be using sAMAccountName ( see 'Common Name Identifier' configured as 'sAMAccountName' ).
Make sure to get the info on which attributes the end users are using against the LDAP server as the values of the attributes can look different, for example, 'usert' vs. 'TestUser'.
On 'User Type', choose 'Remote LDAP user' and select 'Next'.
On 'LDAP Server', select the LDAP server name and select 'Next'.
Select the User. 'Right-click', select + Add Selected, and select 'Submit'.
Imported Remote LDAP user:
Once Users/Groups are imported, use them in a firewall policy.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.