Hello, I’m not really sure if I understood correctly what It can do.
We have many workgroup clients, a ldap and samba4. Basically our preference is to not bind clients to a domain.
Can Forti Authenticator be used to logon on workgroup clients with ldap+samba4 servers without binding client to the samba4 domain?
It can manage workgroup client login credential (self change password) or they are going to be managed independently? Maybe with Mobility Agent?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello neder,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Dear neder,
this is a bit of guesswork, as I haven't worked much with samba4 servers and FortiAuthenticator (I've primarily worked with Windows AD and FortiAuthenticator), but to my understanding:
- no, FortiAuthenticator does NOT need to be joined to the samba4 domain, nor should it bind any clients
-> as long as the samba4 server is added as a simple LDAP server (and Windows domain join is left disabled), FortiAuthenticator should only check the user credentials and that's it
-> please note that CHAP and MSCHAPv2 will not work as encryption methods (CHAP requires the user be local on FortiAuthenticator, MSCHAPv2 requires the user be either local or FortiAuthenticator joined to the domain)
- users should be able to change their password IF you have set up a self-service portal on FortiAuthenticator to allow this, and the connection to the LDAP server is secured (LDAPS usually)
- Mobility Agent is something completely unrelated to LDAP authentication discussed above; it's an integration with FSSO, meaning that the mobility agent will pick up user logins on the client host and forward to FortiAuthenticator, and FortiAuthenticator can share this with connected FortiGates so FortiGates are aware of logged-in users and can apply identity-based policies without users needing to actively log in
-> Mobility Agent does tie into LDAP/domain insofar that FortiAuthenticator will query a related LDAP server to find the user's group information and include that in the FSSO login
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.