Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
grog
New Contributor II

Google ldaps as LDAP Server - client certificates

 

Google LDAPS requires client certificates. I found the option to use client certs for FortiAuthenticator (Use Client Certificate for TLS Authentication) but cannot find the same for fortigate. Setting up a LDAP Server on fortigate just provides CA Cert and no way that I can see to upload a client certificate. I am wanting to confirm this is the case, that I didn't miss anything, before I setup stunnel to facilitate the use of client certs as suggested by Google.

 

Thank you,

 

PS I was able to setup JumpCloud as an LDAP Server, but it does not require client certificates.

7 REPLIES 7
grog
New Contributor II

With stunnel configured and access credentials for the google fortinet client i created, then all worked well. Will see if I can get a feature request for using client certs in fortigate...

warrenkerrigan
New Contributor

I know this was a long time ago now, but did you ever get any further with this?

grog
New Contributor II

No further. Talked with Fortinet but they rejected the feature request because the capability is in the FortiAuthenticator. So I'm still using stunnel. I still feel client certificates should be supported in the Fortinet firewalls since both PAN and pfSense support client certificates in their firewalls (based on what I found with some simple searches).

warrenkerrigan

Thanks for the response. Yes, it does appear a little strange. I will update if I find a nicer solution, but that seems to be the best I can do for now.

epaul
New Contributor

Looks like FortiGate with Fortios 7.2 can do it. But i have a problem with dn configuration of ldap.google.com.

I can connect with ldapsearch, using my credentials, but FortiGate always give me error of authentication.

Did someone succeed with Google LDAP Setup?

Markus_M
Staff
Staff

Hello Paul,

 

I don't know google LDAP service itself in detail. But if Google LDAP is a plain LDAP server then it should work fine. It will be then a configuration issue.

Since google is an Internet based service, I would expect (not knowing) that you are required to use LDAPS, LDAP over TLS. The FortiGate MUST have the root CA imported such that the LDAPS server can identify itself with its server certificate and the FortiGate will trust it.

If that is given, LDAP can be spoken.

The baseDN of your directory is important, ldap.google.com may not be correct, but it would be more specific to your own data realm, DC=forti,DC=lab,DC=google,DC=com, for example.

The CNID, will be the attribute NAME that your LDAP server stores the VALUEs in.

CNID could be "uid", while the value of the "uid" on the server holds the user ID, like "testuser01".

 

Best regards,

 

Markus

epaul
New Contributor

Looks like with this config it´s working, but I´d to ajust timeouts for LDAP as it´s taking x10 time more than with local stunnel

 

set server "ldap.google.com"
set server-identity-check disable
set cnid "posixUid"
set dn "dc=domain,dc=com"
set type regular
set username "user"
set password *
set group-member-check posix-group-object
set group-search-base "ou=Groups,dc=domain,dc=com"
set group-object-filter "(objectClass=posixGroup)"
set secure ldaps
set port 636
set member-attr "memberUid"
set client-cert-auth enable
set client-cert "CRT"

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors