FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gbamania
Staff
Staff
Article Id 216481
Description

This article describes what format of LDAP username should be used when LDAP authentication is integrated in FortiGate.

For example: LDAP user authentication to login to FortiGate or for SSL-VPN authentication.

Scope All FortiGate firmware version.
Solution

In this active directory configuration, CN value of a user is 'JohnRice' and SAMAccountName is 'John'.

 

Case1: When cn value is used under 'Common Name Identifier'.

 

gbamania_0-1656654943877.png

 

When user authenticates, it should use username value present in Display Name section in Active Directory.

 

For example:

Username: JohnRice (see in below screenshot).

 

gbamania_1-1656654943881.png

 

Few packet capture snippets which shows working and non-working scenario for each case.

 

If Common Name Identifier: CN is used in the FortiGates's LDAP configuration:

- Username: 'JohnRice' will show success LDAP binding response.

- Username: 'John' will show unsuccessful LDAP binding response.

 

Working Scenario.

 

Search request:

 

gbamania_2-1656654943886.png

 

Search response:

 

gbamania_3-1656654943889.png

 

Bind request and response after successful search request.

 

gbamania_4-1656654943893.png

 

Non-Working scenario.

 

Search request:

 

gbamania_5-1656654943896.png

 

Search response:

 

gbamania_6-1656654943898.png

 

Case2: When SAMAccountName is used under Common Name Identifier.

 

gbamania_7-1656654943901.png

 

When user authenticates, it should use username value present in 'User logon name' section in Active Directory.

 

For example:

Username: John (see in below screenshot).

 

gbamania_8-1656654943905.png

 

If Common Name Identifier: SAMAccountName is used in the FortiGates's LDAP configuration:

- Username: 'John' will show successful LDAP binding response.

- Username: 'JohnRice' will show unsuccessful LDAP binding response.

 

Working Scenario.

 

gbamania_9-1656654943907.png

 

gbamania_10-1656654943911.png

 

Non-working.

 

Search request:

 

gbamania_11-1656654943914.png

 

Search response:

 

gbamania_12-1656654943917.png
Contributors