FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sinamdar
Staff
Staff
Description

This article describes how to create FortiGate admin users which can be authenticated by a LDAP server.


Scope
Access FortiGate WebGUI using LDAP users

Solution
Configuration Method.

In order to use an LDAP server to authenticate administrators in a VDOM, the authentication has to be configured before the administrator accounts are created.

1)  Configure an LDAP server

For example:



# config user ldap
    edit "ldap"
        set server "10.40.9.78"
        set cnid "sAMAccountName"
        set dn "dc=dubailab,dc=lab"
        set type regular
        set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
        set password p@ssword
    end

If only a particular group of members are to be allowed to login to the FortiGate as administrators then a FortiGate group must be configured to limit the access.


2.) Create a LDAP user group.




# config user group
    edit "salesgrp"
        set group-type firewall
        set authtimeout 0
        set auth-concurrent-override disable
        set http-digest-realm ''
        set member "ldap"
        # config match
            edit 1
                set server-name "ldap"
                set group-name "CN=salesgrp,CN=Users,DC=dubailab,DC=lab"
            next
        end
    next
end
3.) Configure an administrator to authenticate with a LDAP server.




# config system admin
    edit "ldap_admin"
        set remote-auth enable
        set accprofile "prof_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "salesgrp"
    next
end
The remainder of the parameters has to be left with the default values.

Note:

If 'wildcard' is not being enabled this means that not all members of the LDAP (AD) group are being allowed.
In this case it is necessary to configure the name with the same name that the user has on AD with their password.


Verifying, accessing the FortiGate WebGUI using LDAP user 'sales', login to FortiGate WebGUI using 'sales' user



Using below commands capture the debug output.

# diag debug enable
# diag debug application fnbamd -1

[59] ldap_dn_list_del_all-Del CN=sales,OU=new2,DC=dubailab,DC=lab
[3141] fnbamd_ldap_result-Result for ldap svr 10.40.9.78 is SUCCESS
[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=dubailab,DC=lab
[3152] fnbamd_ldap_result-Passed group matching
[1047] find_matched_usr_grps-Group 'salesgrp' passed group matching
[1048] find_matched_usr_grps-Add matched group 'salesgrp'(2)
[2887] fnbamd_fas_send_push-username:sales, vdom:root, usertype:0, tfc=0, auth_type:16

[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 295304432
[724] destroy_auth_session-delete session 295304432
[59] ldap_dn_list_del_all-Del CN=salesgrp,CN=Users,DC=dubailab,DC=lab
[59] ldap_dn_list_del_all-Del CN=Domain Users,CN=Users,DC=dubailab,DC=lab

Contributors