Description | This article describes and demonstrates the configuration required to authenticate an LDAP user using the 'attribute-member' property. |
Scope | FortiGate. |
Solution |
In this article, SSL VPN will be used to explain and show the authentication. The same steps can also be used for other authentication, such as IPsec dial-up user authentication using an LDAP user group.
The requirement is to configure the user group defined in the FortiGate to match and authenticate a user who has the value vpn in the member attribute OU.
Step 1: Configure LDAP server.
Configure an LDAP server by referring to the screenshot below.
Step 2: Configure the user group in which the LDAP server will be added as the member.
Step 3: Relevant Firewall policies and SSL VPN settings should be configured to allow the user authentication. Note: These configurations are skipped as this article focuses on the 'Attribute Member' config.
On the AD server, the user name testuser13 inside the OU=Users will be used for the authentication.
Under the User properties in AD, locate the Attribute Editor tab. In this article example, OU attribute has been used and configured with the value 'vpn', as shown below.
Note: If it is not possible to view the Attribute Editor tab, navigate to View in the AD, select Advanced Features, and the user properties will show this tab.
On FortiGate:
Under LDAP configuration:
config user ldap edit "POD-LDAP" set server "10.47.2.174" set member-attr "ou" <- Here it has been defined to check for the member attribute field named as 'OU'. next
config user group edit "vpn users" <----- User group. set member "POD-LDAP" config match edit 1 set server-name "POD-LDAP" set group-name "vpn" <----- This is the value of the OU field (Attribute member) defined in the AD server for the user. end
Note: On the above it is not referencing any user group for 'group-name' instead, it defines the Attribute value which in this case is the VPN.
Testing the authentication:
Authentication is successful for 'testuser13'. Note the only defined match in the user group settings in FortiGate is the attribute value 'VPN'.
On the FNBAMD and SSLVPN debug, note the following entries where it locates the value 'VPN' for the attribute member field 'OU'.
Debug commands:
diag de app sslvpn -1 diag de app fnbamd -1 diag de en |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.