Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Somashekara_Hanumant
Staff & Editor
Staff & Editor

Created on ‎07-06-2020 11:42 PM Edited on ‎03-17-2025 06:25 AM By Community Manager

Article Id 193069

Technical Tip: LDAP authentication on FortiProxy

Description


This article describes how to configure LDAP server and authentication scheme.

LDAP User authentication in Explicit-Proxy mode.

  • Configure the LDAP server.
  • Configure Authentication Scheme/rules and proxy auth settings.
  • Configure firewall policies with LDAP authentication by selecting the explicit mode.
  • Enabling proxy settings on the workstation and test the authentication.

 

Scope

 

FortiProxy

Solution

 

Configuring LDAP server.



 
config user ldap
    edit "Proxy-AD"
        set server "10.40.9.78"
        set cnid "sAMAccountName"
        set dn "dc=dubailab,dc=lab"
        set type regular
        set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
        set password xxxxxx
    next
end
 
Configure Authentication Scheme.
 

 
config authentication scheme
    edit "ldap-scheme"       
        set method basic       
        set user-database "Proxy-AD"   
    next
end
 
Configuring Authentication Rule.
 
 
For testing purposes source address is added as 10.40.9.42/32, LDAP users can authenticate from this IP address only.
 
config firewall address
    edit "9-42"
        set subnet 10.40.9.42 255.255.255.255
    next
end

config authentication rule
    edit "ldap_rule"
        set srcintf "port2"
        set srcaddr "9-42"
        set dstaddr "all"
        set active-auth-method "ldap-scheme"
    next
end
 
Configure Proxy Authentication Settings.
 
 
config authentication setting
    set active-auth-scheme "ldap-scheme"
end
 
Configure firewall policies with LDAP authentication by selecting the explicit mode.
 
 

 
config firewall policy
    edit 1
        set type explicit-web
        set explicit-web-proxy "web-proxy"
        set dstintf "port1"
        set srcaddr "9-42"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set groups "ldap-sslvpn"
        set utm-status enable
    next
end
 
Configuring User browser and validation.
 
  
User authentication.

Once the user is authenticated, the user under FortiView -> User can be seen.
 

 

Note:

Only  HTTP, HTTPS, FTP, and Telnet protocols are supported by LDAP.

 

Troubleshooting:

Useful debug command:

       

diagnose wad filter src <source IP>

diagnose wad debug enable category auth

diagnose wad debug enable category policy

diagnose wad debug enable level verbose

diagnose debug application fnbamd -1

diagnose debug enable

 

To disable debug:

 

diagnose debug disable

diagnose debug reset

 

Then, run the below command on FortiProxy to verify whether user authentication working correctly with the LDAP server or not.


diagnose test authserver ldap <server_name> <username> <password>

 

Related document:

Configuring an LDAP server

Labels:
6798
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.