Description
This article desribes how to configure an LDAP authentication server.
Scope
Windows 2008 R2, 2012.
Solution
Definition:
The FortiGate LDAP client sends these requests:
Bind: Authentication.
StartTLS: Encryption.
Search: Query.
The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services.
The FortiGate LDAP client sends these requests:
Bind: Authentication.
StartTLS: Encryption.
Search: Query.
Unbind: Close the connection.
LDAP structure.
The LDAP structure is similar to a tree that contains entries (objects) in each branch.
Each entry has a unique ID, the Distinguished Name (DN).
Each entry also has attributes.
Each attribute has a name and one or more values.
The attributes are defined in a directory schema.
LDAP structure example.
LDAP Configuration
Bind types:
- Simple: bind without user search. It can be used only if all the users belong to the same 'branch'.
- Anonymous: bind with user search. It can be used when users are in the different 'branches' and only if the server allows 'anonymous search'.
- Regular: bind with user search. It can be used when users are in the different 'branches' and the server does not allows 'anonymous search'.
Simple bind configuration
Simple bind example.
Anonymous bind configuration.
Anonymous bind example.
Regular bind configuration.
Regular bind example.
To know the 'Distinguished Name', it is possible to run either of these two commands from the LDAP server’s command prompt:
dsquery user –name <full_user_name>
dsquery user –samid <login_username>
For example, if the following output appears:
C:\> dsquery user –samid jsmith
“cn=John Smith,cn=users,dc=tac,dc=ottawa,dc=fortinet,dc=com”
It is possible to configure the 'Distinguished Name' as:
dc=tac,dc=ottawa,dc=fortinet,dc=com
To know the 'User DN' (or Bind DN), it is possible to run either of these two commands in the LDAP server’s command prompt:
dsquery user –name <admin_full_user_name>
dsquery user –samid <admin_login_username>
The complete DN has to be used as 'User DN'.
For example, if the following output appears:
C:\> dsquery user –samid administrator
cn=Administrator,cn=users,dc=tac,dc=ottawa,dc=fortinet,dc=com
Configure the 'User DN' as:
cn=Administrator,cn=users,dc=tac,dc=ottawa,dc=fortinet,dc=com
Regular bind configuration summary.
In most of the schemas, the user entries have an attribute containing the DNS of the groups to which the user belongs.
By default, the FortiGate will try to get the group list from the ‘memberOf’ attribute (Microsoft AD). If the group information is stored in a different attribute, we must set the attribute name using the CLI:
config user ldap
edit <Server_name>
set member-attr <attribute_name>
Group query - Microsoft AD case.
Group query - Microsoft AD case.
Related article:
