Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
jkoay
Staff & Editor
Staff & Editor

Created on ‎08-23-2019 12:48 AM Edited on ‎12-12-2025 02:28 AM By Community Manager

Article Id 197643

Technical Tip: Configuring LDAP system administrators in FortiManager for FortiGate login

Description


This article describes how to configure LDAP system administrators in FortiManager for FortiGate.

 

Scope

 

FortiManager, FortiGate.

Solution

 

  1. Enter the specific ADOM created for the FortiGate device. Go to Policy & Objects -> Object Configurations -> User & Device -> LDAP Servers. Make sure that the LDAP server is correctly configured:

 

  1. Go to User & Device -> User Groups to create a new user group. Give it a name with 'Firewall' as the type, and add the Remote Authentication Servers pointing to the LDAP server that was added in step 1:

     
    Select Create New to add the new Remote Authentication Server. 'Right-click' on the group to add it to the selection and select OK:
     

  2. Go to Device Manager -> Managed Devices. 'Right-click' on the managed device and select Refresh Device:
     
     
  3. Select Install Wizard to push new user groups and the LDAP server to the FortiGate. Select Install Policy Package & Device Settings, then select Policy Package:
     
     
  4. Select Policy Package Diff to check if the new user group and LDAP server configuration are being pushed to the device:
     
     
     
    Select Install to continue:
     
     
  5. Once the device is refreshed, select the device on the bottom left panel and select Display Options. Select Administrators and confirm the selection with OK:
     
     
  6. Hover the cursor over System: Dashboard and select Administrators:
     
     
  7. Select Create New to add a new administrator. Provide an administrator name, choose the 'Match all users on remote server group' type, select Admin profile, and select the Remote User Group that was created earlier:
     
     
  8. Select Install Wizard to install the latest configuration on the FortiGate:
 
 
Below is an example of the expected results:
 

 

Troubleshooting.

The following diagnostic commands can be used for live debugging while reproducing the login issue:

The debug commands have to be enabled on FortiGate if the login fails when an administrator tries to log in to FortiGate 

 

diagnose debug application fnbamd 255  <- Up to version 6.4.2.

diagnose debug application authd 255   -> From version 6.4.3.

diagnose debug console timestamp enable

diagnose debug enable 

 

Once the logs are collected, it is recommended to disable logging and reset the debugs enabled:

 

diagnose debug disable

diagnose debug reset

 

Note:

It is important to allow communication between FortiManager and the LDAP server.
When creating the User Group and selecting the 'Remote Authentication Server', FortiManager probes a TCP SYN packet using port 389 or 636 to the LDAP.


If communication is not allowed and the TCP 3-way Handshake cannot be established, there is no way to talk to LDAP and configure the User Group.

 

Related articles:

Labels:
14197
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.