Google LDAPS requires client certificates. I found the option to use client certs for FortiAuthenticator (Use Client Certificate for TLS Authentication) but cannot find the same for fortigate. Setting up a LDAP Server on fortigate just provides CA Cert and no way that I can see to upload a client certificate. I am wanting to confirm this is the case, that I didn't miss anything, before I setup stunnel to facilitate the use of client certs as suggested by Google.
Thank you,
PS I was able to setup JumpCloud as an LDAP Server, but it does not require client certificates.
With stunnel configured and access credentials for the google fortinet client i created, then all worked well. Will see if I can get a feature request for using client certs in fortigate...
I know this was a long time ago now, but did you ever get any further with this?
No further. Talked with Fortinet but they rejected the feature request because the capability is in the FortiAuthenticator. So I'm still using stunnel. I still feel client certificates should be supported in the Fortinet firewalls since both PAN and pfSense support client certificates in their firewalls (based on what I found with some simple searches).
Thanks for the response. Yes, it does appear a little strange. I will update if I find a nicer solution, but that seems to be the best I can do for now.
Looks like FortiGate with Fortios 7.2 can do it. But i have a problem with dn configuration of ldap.google.com.
I can connect with ldapsearch, using my credentials, but FortiGate always give me error of authentication.
Did someone succeed with Google LDAP Setup?
Hello Paul,
I don't know google LDAP service itself in detail. But if Google LDAP is a plain LDAP server then it should work fine. It will be then a configuration issue.
Since google is an Internet based service, I would expect (not knowing) that you are required to use LDAPS, LDAP over TLS. The FortiGate MUST have the root CA imported such that the LDAPS server can identify itself with its server certificate and the FortiGate will trust it.
If that is given, LDAP can be spoken.
The baseDN of your directory is important, ldap.google.com may not be correct, but it would be more specific to your own data realm, DC=forti,DC=lab,DC=google,DC=com, for example.
The CNID, will be the attribute NAME that your LDAP server stores the VALUEs in.
CNID could be "uid", while the value of the "uid" on the server holds the user ID, like "testuser01".
Best regards,
Markus
Looks like with this config it´s working, but I´d to ajust timeouts for LDAP as it´s taking x10 time more than with local stunnel
set server "ldap.google.com"
set server-identity-check disable
set cnid "posixUid"
set dn "dc=domain,dc=com"
set type regular
set username "user"
set password *
set group-member-check posix-group-object
set group-search-base "ou=Groups,dc=domain,dc=com"
set group-object-filter "(objectClass=posixGroup)"
set secure ldaps
set port 636
set member-attr "memberUid"
set client-cert-auth enable
set client-cert "CRT"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.