Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Robin_Svanberg
Contributor

SSLVPN: Filter for LDAP server based on username?

Hi,

 

we have been running different VDOMS for handling different SSLVPN for some customers, with LDAP to their own AD.

Would like to get rid of these VDOMS and use one VDOM for all customers but with different portals.

 

There´s two drawback with this that I´m aware of and that is that you can´t have different domain suffixes and the other one is the seperation of, in our case, LDAP servers.

 

We can live with the domain suffix "issue" but is it possible to filter which LDAP server that will be used based on the username? For example, if we would use firstname@domain1.com it would use LDAPServer1 and if the username is firstname@domain2.com use LDAPServer2? I haven´t seen this possibility but without it we can´t change the design since the customers LDAP servers will log and try the credentials for the "wrong domain".

 

Best Regards

 

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

 

robin.svanberg@ethersec.se

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden robin.svanberg@ethersec.se
1 Solution
Carl_Wallmark
Valued Contributor

Hi Robin,

 

I understand the problem, and without testing, I think you can make it work if you use "Realms".

 

You have:

Customer1

Customer2

 

Customer1:

They would login with https://your_fqdn.com/Customer1

 

Customer2:

They would login with https://your_fqdn.com/Customer2

 

You can use different groups to different realms, so you would use the login url to seperate the different customers.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

View solution in original post

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
3 REPLIES 3
Carl_Wallmark
Valued Contributor

Hi Robin,

 

I understand the problem, and without testing, I think you can make it work if you use "Realms".

 

You have:

Customer1

Customer2

 

Customer1:

They would login with https://your_fqdn.com/Customer1

 

Customer2:

They would login with https://your_fqdn.com/Customer2

 

You can use different groups to different realms, so you would use the login url to seperate the different customers.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Robin_Svanberg

Selective wrote:

Hi Robin,

 

I understand the problem, and without testing, I think you can make it work if you use "Realms".

 

You have:

Customer1

Customer2

 

Customer1:

They would login with https://your_fqdn.com/Customer1

 

Customer2:

They would login with https://your_fqdn.com/Customer2

 

You can use different groups to different realms, so you would use the login url to seperate the different customers.

 

Wasn´t aware of that feature, looks good. Best option would have been the filter based on username/mailadress but realms was not that bad :) Thanks!

 

You don´t know any solution to use different domain suffixes based on realms or portals?

 

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

 

robin.svanberg@ethersec.se

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden robin.svanberg@ethersec.se
Carl_Wallmark

Unfortunately you cannot set a dns suffix per portal.

I actually requested that a long time ago, but it´s not implemented yet.

With that said,

 

You can add more dns suffixes to the configuration like this:

 

set dns-suffix "customer1.org customer2.se customer3.com"

 

key length is 255 charactes, domains must be seperated with a space.

Downside is that all customers will have all suffixes when they are conncted.

 

BUT, if the computer is a member of the active directory domain, the dns suffix would not be needed as the computer adds the suffix by itself.

and you can add different DNS servers per portal, so maybe you can work around it ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Top Kudoed Authors