FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article describes how to create FortiGate admin users which can be authenticated by a LDAP server.

Access FortiGate WebGUI using LDAP users

Configuration Method.

In order to use an LDAP server to authenticate administrators in a VDOM, the authentication has to be configured before the administrator accounts are created.

1)  Configure an LDAP server

For example:

# config user ldap
    edit "ldap"
        set server ""
        set cnid "sAMAccountName"
        set dn "dc=dubailab,dc=lab"
        set type regular
        set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
        set password p@ssword

If only a particular group of members are to be allowed to login to the FortiGate as administrators then a FortiGate group must be configured to limit the access.

2.) Create a LDAP user group.

# config user group
    edit "salesgrp"
        set group-type firewall
        set authtimeout 0
        set auth-concurrent-override disable
        set http-digest-realm ''
        set member "ldap"
        # config match
            edit 1
                set server-name "ldap"
                set group-name "CN=salesgrp,CN=Users,DC=dubailab,DC=lab"
3.) Configure an administrator to authenticate with a LDAP server.

# config system admin
    edit "ldap_admin"
        set remote-auth enable
        set accprofile "prof_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "salesgrp"
The remainder of the parameters has to be left with the default values.


If 'wildcard' is not being enabled this means that not all members of the LDAP (AD) group are being allowed.
In this case it is necessary to configure the name with the same name that the user has on AD with their password.

Verifying, accessing the FortiGate WebGUI using LDAP user 'sales', login to FortiGate WebGUI using 'sales' user

Using below commands capture the debug output.

# diag debug enable
# diag debug application fnbamd -1

[59] ldap_dn_list_del_all-Del CN=sales,OU=new2,DC=dubailab,DC=lab
[3141] fnbamd_ldap_result-Result for ldap svr is SUCCESS
[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=dubailab,DC=lab
[3152] fnbamd_ldap_result-Passed group matching
[1047] find_matched_usr_grps-Group 'salesgrp' passed group matching
[1048] find_matched_usr_grps-Add matched group 'salesgrp'(2)
[2887] fnbamd_fas_send_push-username:sales, vdom:root, usertype:0, tfc=0, auth_type:16

[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 295304432
[724] destroy_auth_session-delete session 295304432
[59] ldap_dn_list_del_all-Del CN=salesgrp,CN=Users,DC=dubailab,DC=lab
[59] ldap_dn_list_del_all-Del CN=Domain Users,CN=Users,DC=dubailab,DC=lab