Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Pedro_FTNT
Staff
Staff

Created on ‎01-31-2025 04:26 AM

Article Id 373775

Technical Tip: Limiting LDAP users and remote AD users to configure administration of a remote LDAP server

Description This article describes how to limit LDAP user privileges required to configure remote LDAP server and how to limite specific remote AD users to allow FortiWeb remote administration. 
Scope FortiWeb
Solution
  1. To limit specific remote AD users to allow FortiWeb remote administration. 

 

  • In this example, the Remote LDAP user to be used as FortiWeb Remote Administrator is 'test2' and is configured in:

 

tac.local/TOLUCA2/SISTEMAS2/IT4

 

Or:

 

CN=IT4,OU=SISTEMAS2,OU=TOLUCA2,DC=tac,DC=local

 

3.png

 

11.png

 

 

Step 2. Configure Admin user group.

 

  • Configure: Group NameCN=IT4,OU=SISTEMAS2,OU=TOLUCA2,DC=tac,DC=local.

     

12.png

 

  • Select OK.

 

13.png

 

  1. To limit LDAP user privileges required to configure a remote LDAP server:

 

  • Step 1. To configure the Remote LDAP Server -> User DN.

And see:

 

username "<bind-dn_str>" <- '...of an LDAP user account with permissions to query the distinguished-name...'

 

  • The User DN (username) only needs to have permissions to query the distinguished-name.
  • It only needs permissions to query the 'distinguished-name':

Read All Properties and List Content Options needs to be configured to the 'User DN' in the User Group or Organizational Unit where the remote LDAP user is to be used as a Remote FortiWeb LDAP Administrator.

 

Example:

 

  1. Configuring Remote LDAP Server and using LDAP user: 'webadmin'.

 

1.png

 

  • 'webadmin' user is not an Active Directory or LDAP user Administrator.
  • 'webadmin' user is configured only as Domain User.

 

2.png

 

  1. Configuring privileges to Read All Properties and List Content:

 

  • In this example, the Remote LDAP user to be used as FortiWeb Remote Administrator is configured in:

 

tac.local/TOLUCA2/SISTEMAS2/IT4

 

Or:

 

CN=IT4,OU=SISTEMAS2,OU=TOLUCA2,DC=tac,DC=local

 

  • Remote user: 'test2'.

 

3.png

 

  •  Go to OU=SISTEMAS2 -> Properties -> Security -> Advanced.

 

4.png

 

  • Select: Add.

 

5.png

 

  • Select: Select a principal.

 

6.png

 

  • Find and select the: 'webadmin' user.

 

7.png

 

  • In Permissions uncheck 'List contents' and 'Read all properties'.

 

8.png

 

  • In the same menu, go down and confirm that the Properties -> 'Read all properties' option is not selected.

 

9.png

 

  • Apply and Save all changes done.

 

  1. Test connection from FortiWeb using the 'test2' user.

 

14.png

 15.png

 

16.png

 

Related articles:
Labels:
393
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.