FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mricardez
Staff
Staff
Article Id 197894
Description
This article describes how to manage the FortiGate with LDAP server user, instead of creating a local user.

Scope



Solution
1) Create a LDAP server profile.
# config user ldap
    edit "LdapServer"
        set server "192.168.100.3"
        set cnid "cn"
        set dn "dc=markoz,dc=com,dc=mx"
        set type regular
        set username "CN=Administrator, CN=users, DC=markoz,DC=com,DC=mx"
        set password ENC ...
    next
end                       
2) Identify the group membership of the user in the LDAP server, in this example the user is Prueba1:
# diagnose test authserver ldap LdapServer Prueba1 Prueba3#
authenticate 'Prueba1' against 'LdapServer' succeeded!
Group membership(s) - CN=Finanzas,CN=Users,DC=markoz,DC=com,DC=mx                           <----- Finanzas.
                      CN=Domain Users,CN=Users,DC=markoz,DC=com,DC=mx

3) Create a local group and associate the LDAP Group.
# config user group
    edit 'LDAP-Authentication'
        set member 'LdapServer'
        config match
            edit 1
                set server-name 'LdapServer'
                set group-name 'CN=Finanzas,CN=Users,DC=markoz,DC=com,DC=mx                 <----- Finanzas.
            next
        end
    next
end
4) Create an admin-user and associate it to the Group Local.
# config system admin
    edit "UserLDAP"
        set remote-auth enable
        set accprofile "super_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "LDAP-Authentication"
    next
end
5) Authenticate into the FortiGate with the user and password of the LDAP server Group.
# get system admin list
username   local    device                         vdom     profile      remote                 started
admin      ssh      internal:192.168.1.91:22       root     super_admin  192.168.1.111:59804    2016-07-08 16:09:18
Prueba1    https    internal:192.168.1.91:9002     root     super_admin  192.168.1.111:59827    2016-07-08 16:14:12
Prueba1    ssh      internal:192.168.1.91:22       root     super_admin  192.168.1.111:59869    2016-07-08 16:15:55

Contributors