Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Touchnet_Priority
New Contributor II

How to add LDAP users with their email addresses

Hello everyone,

 

Model: FGT100E

Firmware: v6.2.3

 

I have set up an LDAP server, tested and working. When I add a new Remote LDAP User, it adds the user account however the email field is empty, despite this info being in the Windows AD user details. I'd like to enable email 2FA so would be ideal if I could add LDAP users and have the email address field populate with the address that is specified in the AD. Is this possible?

 

Thank you for any info

 

2 REPLIES 2
Anonymous
Not applicable

Hello @Touchnet_Priority ,

Thank you for posting to the Fortinet Community Forum. We appreciate your patience.

As per your query, if you need to enable two-factor for the remote LDAP user you can use the Two Factor-Authentication enabled by any of the methods like SMS, email and token-based. However, as per the past configurations, I have not seen an email address field populating with the address that is specified in AD. Let me know if that answers your query.

 

xsilver_FTNT
Staff
Staff

Hi Touchnet_Priority,

 

FortiOS / FortiGate

In short:

- it's not possible to sync email addresses from LDAP to FortiGate.

In longer description:

- users from LDAP (AD in your case) are imported via dialogs in 'User & Authentication / User Definition / Create New / User Type = Remote LDAP User'. Then there is an option to choose LDAP Server and then to pick from Remote Users.

- but on FortiOS level there is no LDAP attributes pairing configuration and bare minimum of the attributes, fixed set, is then imported from LDAP into FortiGate's config.

- so email address setting is there a manual operation, as well as token assignment. Unless REST API is used to automate that.

 

 

FortiAuthenticator

 

In short:

- FortiAuthenticator as centralized and specialized authentication concentrator has more options.

- it's possible to import some of LDAP properties, including email and phone number (needed for FortiToken Mobile - token activation code delivery via SMS).

 

In longer description:

- simple import of the user into 'Authentication / User Management / Remote Users' is similar to FortiOS

- however right bellow Remote Users menu is 'Remote User Sync Rules', and via this tool you can set up periodic synchronization of users from LDAP backend.

- Synced are only users fitted to LDAP Filter.

- FortiTokens can also be automatically assigned to synced users. Besides few other automatic assignment options like User Group, User role etc.

- pay attention to 'LDAP User Mapping Attributes' as it set mappings between user properties on FortiAuthenticator and from which LDAP objects those will be gathered. Including email address, phone number, certificates binding. Even serial number of preferred FortiToken 200 unit can be mapped, so hardware tokens can be distributed and if their serial numbers are stored in AD/LDAP in mapped object, then once user is synced he will be paired with suggested hardware token (if that one is available on FortiAuthenticator). Mobil tokens do not have that option as they are not handed over manually and their distribution is different, and so could be assigned randomly from pool of available tokens.

- once user do not match the LDAP Filter it is automatically removed, his tokens freed, unless it is explicitly set in sync rule to keep such users.

 

Hope the options are more clear now.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

Labels
Top Kudoed Authors