|
LDAP is widely used for authentication. The following is a typical configuration with LDAP on FortiProxy.
config user ldap
edit "My-AD"
next
end
config authentication scheme
edit "LDAP-Auth"
set method basic
set user-database "My-AD"
next
end
config authentication rule
edit "Incoming"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set active-auth-method "LDAP-Auth"
next
end
config user group
edit "My_LDAP"
set member "My-AD"
#Note: NO group matching applied here
next
end
config firewall policy
edit 2
set type explicit-web
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set utm-status enable
set webfilter-profile "Custom_Web_Filter"
set groups "My_LDAP"
next
end
As long as the user is authenticated, the user can access the resource per policy with some limitations applied under the web filtering profile.
Now, let's see if a specific user in the LDAP server must be allowed to access one URL, say drive.google.com, while the remaining users are kept as is.
The solution is utilising the logic 'AND' for the user group.
config user local
edit "MrHi"
set type ldap
set ldap-server "My-AD"
next
end
config user group
edit "MY_LDAP_Hi"
set logic-type and
set member "My-AD" "MrHi"
next
end
config firewall policy
edit 1
set type explicit-web
set dstintf "port2"
set srcaddr "all"
set dstaddr "google-drive"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set utm-status enable
set groups "MY_LDAP_Hi"
next
move 1 before 2
end
Once the above configuration is applied, the specific user can access Google Drive while others are still blocked from accessing drive.google.com.
|
