Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahv
Staff
Staff

Created on ‎09-18-2019 06:20 AM Edited on ‎12-14-2025 10:37 PM By Community Manager

Article Id 196141

Technical Tip: How to configure FortiGate to use an LDAP server

Description


This article describes the steps to configure the LDAP server in FortiGate and how to map LDAP users/groups to Firewall policies.

End users can then see a firewall pop-up on the browser that will ask for authentication before using the service.

 

Note that such a policy will also not allow DNS queries if the user is not authenticated. End users must have some way of resolving the destination address that would match this policy. If DNS does not work, the users will not be able to authenticate, as the HTTP connection to the destination cannot be made.

 

Scope


FortiGate.


Solution

 

To configure the FortiGate unit for LDAP authentication, using the GUI:

Go to User & Device -> Authentication -> LDAP Servers and select Create New.

 

For new v7.0 and above, the path would be:

  1. Go to User & Authentication -> LDAP Servers and select Create New.

 

38.png

 

  1. Enter a Name for the LDAP server.

  2. In Server Name/IP, enter the server’s FQDN or IP address.

  3. If necessary, change the Server Port number. The default is port 389.

  4. Enter the Common Name Identifier (20 characters maximum). cn is the default, and most of the customers will be using sAMAccountName (See this KB article: Technical Tip: Using logon name for the LDAP authentication).

    • CN stands for Common Name, which is an attribute name in LDAP.
    • sAMAccountName is another LDAP attribute and can reference the login name (about the Windows LDAP server).

    Make sure to get the info on which attributes the end users are using against the LDAP server, as the values of the attributes can look different, for example, 'usert' vs. 'TestUser'.

  5. For a Distinguished name, select browse and select the main domain (Select the domain once the Username and Password are entered, as per steps 8 and 9).
  6. In Bind Type, select Regular.
  7. In the Username field, enter the LDAP administrator's account name along with the domain (Ref. Screenshot below). In some cases, the domain\username format may not work. Use the distinguishedName from the domain controller. Copy the distinguishedName value from the Windows Domain Controller by opening Active Directory Users and Computers, then selecting the View menu and Advanced Features. After, locate and 'right-click' the desired credentials and select Properties. Next, select the Attribute Editor tab and copy the value of distinguishedName.

  8. To check the LDAP DN, run the following command on the AD Server command prompt:

 

dsquery user -name <admin user full name>

dsquery user -samid <admin sAMAccountName>

 

  1. In the Password field, enter the LDAP administrator's account password.
  2. Select OK.

 

37.png

 

For the CLI:
 
config user ldap
    edit LDAP
        set server "172.16.16.100"
        set cnid "cn"
        set dn "dc=tac,dc=local"
        set username TAC\\Administrator
        set password xxxxx
        set port 389
    next
end
 
Consider that when there is an IPSec Site-to-Site, the source IP needs to be modified: 
 
config user ldap
    edit LDAP
        set source-ip <Local IP>
end
 
To import users from the LDAP directory, follow the steps below in the GUI:
Go to User & Devices -> User Definition -> Create New.
 
For new v7.0 and above, the path would be:
 
  1. Go to User & Authentication ->  User Definition and select Create New.

 

39.png

 

  1. On 'User Type', choose 'Remote LDAP user' and select 'Next'.

 

40.png

 

  1. On 'LDAP Server', select the LDAP server name and select 'Next'.


41.png

 

  1. Select the User. 'Right-click', select + Add Selected, and select 'Submit'.


42.png

Imported Remote LDAP user:

 

  1. Once Users/Groups are imported, use them in a firewall policy.

                                                           

43.png

44.png

 

Users who have been imported from the LDAP server can be used to enforce user-based policies as permission sets and allow VPN connections, depending on the usage requirements.
 
Note:
  1. LDAP authentication supports HTTP, HTTPS, FTP, and Telnet Protocols only.
  2. To display LDAP user names in Forward Traffic logs, the LDAP user group or username must be defined in a firewall policy.
  3. To integrate the Novell eDirectory with the FortiGate, the 'member-attr' setting must be enabled for the LDAP settings (see configuration details LDAP-Server-Settings-to-Support-Novell-eDirectory).
  4. Once a user is selected and added to the user definition, the same user will no longer appear as an option when attempting to add it again.
  5. If using Two Factor Authentication(2FA) with an LDAP remote user, make sure to select the option 'set username-sensitivity disable' in the CLI, as the 2FA will otherwise not work correctly and will be bypassed if the user tries to login with a random capital letter in the username. This is due to CVE-2020-12812, and the option 'set username-sensitivity disable' was added as a solution to this CVE. For more information, see Technical Tip: Description of CVE-2020-12812 (bypassing two-factor authentication for LDAP users) an...

 

config user local
    edit TestUser
        set type ldap
        set ldap-server LDAP1
        set two-factor fortitoken
        set fortitoken FTKxxxxxxxxxxxxxxxxxx
        set username-sensitivity disable
end

 
In versions before v5.6.14, v6.0.13, v6.2.10, v6.4.7, v7.0.1, the command was 'set username-case-sensitivity'.
 
Related documents:

Configuring an LDAP server - FortiGate administration guide

Technical Tip: Description of CVE-2020-12812 (bypassing two-factor authentication for LDAP users) an...

SSL VPN for remote users with MFA and user case sensitivity - FortiGate 6.2.16 cookbook

Technical Tip: Using logon name for the LDAP authentication

252384
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.