Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
neder
New Contributor

Fortinet Authenticator in workgroup environment with ldap and samba4

Hello, I’m not really sure if I understood correctly what It can do.

We have many workgroup clients, a ldap and samba4. Basically our preference is to not bind clients to a domain.

Can Forti Authenticator be used to logon on workgroup clients with ldap+samba4 servers without binding client to the samba4 domain?

It can manage workgroup client login credential (self change password) or they are going to be managed independently? Maybe with Mobility Agent?

10.0.0.0.1 192.168.1.254
2 REPLIES 2
Stephen_G
Moderator
Moderator

Hello neder,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
Debbie_FTNT
Staff
Staff

Dear neder,

this is a bit of guesswork, as I haven't worked much with samba4 servers and FortiAuthenticator (I've primarily worked with Windows AD and FortiAuthenticator), but to my understanding:

- no, FortiAuthenticator does NOT need to be joined to the samba4 domain, nor should it bind any clients

-> as long as the samba4 server is added as a simple LDAP server (and Windows domain join is left disabled), FortiAuthenticator should only check the user credentials and that's it

-> please note that CHAP and MSCHAPv2 will not work as encryption methods (CHAP requires the user be local on FortiAuthenticator, MSCHAPv2 requires the user be either local or FortiAuthenticator joined to the domain)

- users should be able to change their password IF you have set up a self-service portal on FortiAuthenticator to allow this, and the connection to the LDAP server is secured (LDAPS usually)

 

- Mobility Agent is something completely unrelated to LDAP authentication discussed above; it's an integration with FSSO, meaning that the mobility agent will pick up user logins on the client host and forward to FortiAuthenticator, and FortiAuthenticator can share this with connected FortiGates so FortiGates are aware of logged-in users and can apply identity-based policies without users needing to actively log in

-> Mobility Agent does tie into LDAP/domain insofar that FortiAuthenticator will query a related LDAP server to find the user's group information and include that in the FSSO login

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Top Kudoed Authors