Description
This article describes how to create FortiGate admin users which can be authenticated by a LDAP server.
Scope
Access FortiGate WebGUI using LDAP users
Solution
Configuration Method:
To use an LDAP server to authenticate administrators in a VDOM, the authentication has to be configured before the administrator accounts are created.
- Configure an LDAP server
For example:
config user ldap
edit "ldap"
set server "10.40.9.78"
set cnid "sAMAccountName"
set dn "dc=dubailab,dc=lab"
set type regular
set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
set password p@ssword
end
edit "ldap"
set server "10.40.9.78"
set cnid "sAMAccountName"
set dn "dc=dubailab,dc=lab"
set type regular
set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
set password p@ssword
end
If only a particular group of members are to be allowed to log in to FortiGate as administrators, a FortiGate group must be configured to limit access.
- Create an LDAP user group on Active Directory and FortiGate.
Right-click the new group, select 'Properties' and add users that will authenticate:
Create group on Fortigate:
config user group
edit "salesgrp"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member "ldap"
config match
edit 1
set server-name "ldap"
set group-name "CN=salesgrp,CN=Users,DC=dubailab,DC=lab"
next
end
next
end
- Configure an administrator to authenticate with an LDAP server.
config system admin
edit "ldap_admin"
set remote-auth enable
set accprofile "prof_admin"
set vdom "root"
set wildcard enable
set remote-group "salesgrp"
next
end
edit "ldap_admin"
set remote-auth enable
set accprofile "prof_admin"
set vdom "root"
set wildcard enable
set remote-group "salesgrp"
next
end
The remainder of the parameters have to be left with the default values.
Note:
If 'wildcard' is not being enabled, it means that not all LDAP (AD) group members are being allowed.
In this case, it is necessary to configure the name with the same name that the user has on AD, with the password.
Special Note:
If the user is importing users from LDAP on FortiGate and creating a local group with these imported LDAP members, this Group will not appear while creating a wildcard administrator.
To verify, access the FortiGate WebGUI using the LDAP user 'sales'.
Use the commands below to capture the debug output.
diagnose debug enable
diagnose debug application fnbamd -1
[59] ldap_dn_list_del_all-Del CN=sales,OU=new2,DC=dubailab,DC=lab
[3141] fnbamd_ldap_result-Result for ldap svr 10.40.9.78 is SUCCESS
[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=dubailab,DC=lab
[3152] fnbamd_ldap_result-Passed group matching
[1047] find_matched_usr_grps-Group 'salesgrp' passed group matching
[1048] find_matched_usr_grps-Add matched group 'salesgrp'(2)
[2887] fnbamd_fas_send_push-username:sales, vdom:root, usertype:0, tfc=0, auth_type:16
[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 295304432
[724] destroy_auth_session-delete session 295304432
[59] ldap_dn_list_del_all-Del CN=salesgrp,CN=Users,DC=dubailab,DC=lab
[59] ldap_dn_list_del_all-Del CN=Domain Users,CN=Users,DC=dubailab,DC=lab
Related document:
