FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article
Description Example configurations for a FortiGate unit connecting to an LDAP server
Components

FortiGate units, running FortiOS firmware version 4.00 MR3 or 5.0.x

Examples

It is important to recognize and identify correct LDAP components:

  • User
  • User group
  • container (Shared folder)
  • Organization unit (ou)

The components have a following structure on Windows Active Directory:

  • root is recognized as dc
  • organizational unit is recognized as ou
  • container or user group are recognized as cn

For an explanation of LDAP attributes, see the Knowledge Base article Explanation of LDAP Attributes.

LDAP user config on a FortiGate unit

The dn should be configured following sequence of branch to root

  • ou=Testou2
  • ou=Tesetou1
  • ou=Vancouver
  • dc=get
  • dc=local
  • cn=Users
  • dc=get
  • dc=local


Example 1

The example demonstrates simple binding without group search. Is used to authenticate users directly reside in a certain container or ou.

The LDAP structure is get.local > Vancouver

All the users that need to be authenticated reside directly in Vancouver. In this example, Vancouver is an OU.

config user ldap
    edit ldaptest
        set server 10.151.0.35
        set cnid cn
        set dn ou=Vancouver,dc=get,dc=local
    next
end

Note: ONLY users that directly reside in Vancouver are authenticated. Users that reside in other containers or child ous under Vancouver are not authenticated. If a user does not directly reside in Vancouver, but it is a member of a group which directly resides in Vancouver, the user will NOT be authenticated.
 

Example 2

Regular binding without a group search is used to authenticate users that may reside in different containers or organizational units under the root. For regular binding, a valid username and password has to be configured on the FortiGate unit for binding authentication. In this case use a user "user1ou1" in an organization unit "ou1" under get.local for binding authentication.

The example configuration can authenticate users located in ANY containers, sub-containers, uus and sub-ous under the root (get.local).

config user ldap
    edit testldap
        set server 10.151.0.35
        set cnid cn
        set dn dc=get,dc=local
        set type regular
        set username cn=user1ou1,ou=ou1,dc=get,dc=local
    set password <user1ou1_password>
    next
end
 

Example 3 - Simple binding with group search

A simple binding with group search can be used when all users that need to be authenticated belong to a certain user group, and ALL the members of the group reside directly in a same container or organizational unit.

The LDAP structure is get.local > Builtin > Test Users

In this example, Builtin is a container and "Test Users" is a user group. All the users that need to be authenticated are members of a user group, "Test Users". All the members of the "Test Users" group are in the "Users" container under the root (get.local).

config user ldap
    edit ldaptest
        set server 10.151.0.35
        set cnid cn
        set dn cn=Users,dc=get,dc=local
        set group cn=Test Users,cn=Builtin,dc=get,dc=local
    next
end

For the above example in 4.0MR2 and above, please see the related article at the end of this page :
 
Technical Tip : How to configure LDAP server and restrict access to certain groups in FortiOS 4.0MR2 and above
 
 

Example 4 - Regular binding with group search

Regular binding with group search is used to authenticate users in a certain user group whose members may reside in different containers or organization units, or members may reside in both parent container/ou and child container/ou.

For regular binding, a valid username and password has to be configured on the FortiGate unit for binding authentication. In this case we use a user "user1ou1" in an organization unit "ou1" under get.local for binding authentication.

LDAP structure is get.local > Builtin > Test Users

In this example, Builtin is a container, "Test Users" is a user group.

config user ldap
    edit ldaptest
        set server 10.151.0.35
        set cnid cn
        set dn "dc=get,dc=local"
        set type regular       

        set username "cn=user1ou1,ou=ou1,dc=get,dc=local"
        set password <user1ou1_password>
        set group "cn=Test Users,cn=Builtin,dc=get,dc=local"   

next

end

Tips

In above sample configurations, set type, set username, set password, and set group are CLI configurable ONLY.

When an object name have includes space like "Test Users", you have to enclose the text with double-quotes. For example:

set group cn="Test Users",cn=Builtin,dc=get,dc=local

In ldap user config, the set filter command is used for group searching. By default it is set to (&(objectcategory=group)(member=*)), which should be fine for LDAP on Windows AD.

The filter used for group searching can be any string depends on LDAP setup. For example:

(&(objectcategory=group)(member=*))   Default for Windows AD LDAP
(&(objectclass=groupofnames)(member=*))
(&(objectclass=groupofuniquenames)(uniquemember=*))
(&(objectclass=posixgroup)(memberuid=*))   Linux OpenLDAP
 

Debugging LDAP

Use the following diagnose commands to help in debugging issues with the LDAP setup:

diagnose debug application fnbamd –1

diagnose debug enable
 

Simple binding without group search

Successful

fnbamd_fsm.c[739] handle_req-Rcvd auth req 16 for test1 in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[587]fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[956] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is SUCCESS
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 0 for req 16
 

Failed: wrong LDAP server IP or LDAP server not responding

fnbamd_fsm.c[739] handle_req-Rcvd auth req 17 for test1 in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.32, result 10.151.0.32
fnbamd_ldap.c[465]fnbamd_ldap_start-Error in ldap_simple_bind
fnbamd_auth.c[267]ldap_start-Failed to start ldap request for 10.151.0.32
fnbamd_fsm.c[149] create_auth_session-Error allocating session
fnbamd_fsm.c[752] handle_req-Error creating session
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 17
 

Failed: wrong user, wrong password, wrong dn.

fnbamd_fsm.c[739] handle_req-Rcvd auth req 15 for bfeng in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[665]fnbamd_ldap_get_result-Auth denied
fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=1
fnbamd_auth.c[950] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is denied
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 15
 

Simple binding with group search

Sample of a successful binding and group check.

fnbamd_fsm.c[739] handle_req-Rcvd auth req 2 for bfeng in ssl grp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[346] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[241] start_search_grp-base:cn=Test Users,cn=Builtin,dc=get,dc=local filter:(&(objectcategory=group)(member=*))
fnbamd_ldap.c[593] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 2
fnbamd_ldap.c[295] chk_grp-checking group:'CN=Test Users,CN=Builtin,DC=get,DC=local', attr:'member'
fnbamd_ldap.c[300] chk_grp-Found 7 members
fnbamd_ldap.c[303] chk_grp-checking member:'CN=usertestou1,OU=Testou1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=user1ou1,OU=ou1,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=test2 test2,OU=Testou2,OU=Testou1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=test1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=bfeng,CN=Users,DC=get,DC=local'
fnbamd_ldap.c[306]chk_grp-Group membership is good
fnbamd_ldap.c[574]fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[686] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[967]fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is SUCCESS
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 0 for req 2
 

Group checking failure: user is not part of the group configured.

fnbamd_fsm.c[739] handle_req-Rcvd auth req 3 for test in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[346] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[241] start_search_grp-base:cn=Test Users,cn=Builtin,dc=get,dc=local filter:(&(objectcategory=group)(member=*))
fnbamd_ldap.c[593] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 3
fnbamd_ldap.c[295] chk_grp-checking group:'CN=Test Users,CN=Builtin,DC=get,DC=local', attr:'member'
fnbamd_ldap.c[300] chk_grp-Found 7 members
fnbamd_ldap.c[303] chk_grp-checking member:'CN=usertestou1,OU=Testou1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=user1ou1,OU=ou1,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=test2 test2,OU=Testou2,OU=Testou1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=test1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=bfeng,CN=Users,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=labuser,OU=lab,DC=get,DC=local'
fnbamd_ldap.c[303] chk_grp-checking member:'CN=bryan,CN=Users,DC=get,DC=local'
fnbamd_ldap.c[570]fnbamd_ldap_get_result-Error in chk_grp
fnbamd_ldap.c[686] fnbamd_ldap_get_result-Going to DONE state res=5
fnbamd_auth.c[954] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is ERROR
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 3
 

User not exist, or wrong password, wrong dn in config.

fnbamd_fsm.c[739] handle_req-Rcvd auth req 4 for sdfsf in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[346] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[678]fnbamd_ldap_get_result-Auth denied
fnbamd_ldap.c[686] fnbamd_ldap_get_result-Going to DONE state res=1
fnbamd_auth.c[961] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is denied
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 4
 

Regular Binding without group search

Binding authentication failure: wrong username or password, or user does not exist in LDAP.

fnbamd_fsm.c[739] handle_req-Rcvd auth req 9 for bfeng in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[665]fnbamd_ldap_get_result-Auth denied
fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=1
fnbamd_auth.c[950] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is denied
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 9
 

Binding authentication is passed OK, user authentication failure: wrong username or password.

fnbamd_fsm.c[739] handle_req-Rcvd auth req 8 for bfeng in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[144] start_search_dn-base:dc=get,dc=local filter:cn=bfeng
fnbamd_ldap.c[599] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 8
fnbamd_ldap.c[172] get_all_dn-Found DN 1:CN=bfeng,CN=Users,DC=get,DC=local
fnbamd_ldap.c[188] get_all_dn-Found 1 DN's
fnbamd_ldap.c[214] start_next_dn_bind-Trying DN 1:CN=bfeng,CN=Users,DC=get,DC=local
fnbamd_ldap.c[547] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 8
fnbamd_ldap.c[202] start_next_dn_bind-No more DN left
fnbamd_ldap.c[653] fnbamd_ldap_get_result-Auth denied
fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=1
fnbamd_auth.c[950]fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is denied
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 8
 

Regular binding with group search

Successful binding and search.

fnbamd_fsm.c[739] handle_req-Rcvd auth req 13 for bfeng in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[144] start_search_dn-base:dc=get,dc=local filter:cn=bfeng
fnbamd_ldap.c[599] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 13
fnbamd_ldap.c[172] get_all_dn-Found DN 1:CN=bfeng,CN=Users,DC=get,DC=local
fnbamd_ldap.c[188] get_all_dn-Found 1 DN's
fnbamd_ldap.c[214] start_next_dn_bind-Trying DN 1:CN=bfeng,CN=Users,DC=get,DC=local
fnbamd_ldap.c[547] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 13
fnbamd_ldap.c[241] start_search_grp-base:cn=Test Users,cn=Builtin,dc=get,dc=local filter:(&(objectcategory=group)(member=*))
fnbamd_ldap.c[615] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 13
fnbamd_ldap.c[277] chk_grp-checking group:'CN=Test Users,CN=Builtin,DC=get,DC=local', attr:'member'
fnbamd_ldap.c[282] chk_grp-Found 7 members
fnbamd_ldap.c[287] chk_grp-checking member:'CN=usertestou1,OU=Testou1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=user1ou1,OU=ou1,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=test2 test2,OU=Testou2,OU=Testou1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=test1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=bfeng,CN=Users,DC=get,DC=local'
fnbamd_ldap.c[296]chk_grp-Group membership is good
fnbamd_ldap.c[561] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[956] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is SUCCESS
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 0 for req 13
 

Group search failed: user cannot be found in the group.

fnbamd_fsm.c[739] handle_req-Rcvd auth req 12 for bryanfeng in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[144] start_search_dn-base:dc=get,dc=local filter:cn=bryanfeng
fnbamd_ldap.c[599] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 12
fnbamd_ldap.c[172] get_all_dn-Found DN 1:CN=bryanfeng,CN=Users,DC=get,DC=local
fnbamd_ldap.c[188] get_all_dn-Found 1 DN's
fnbamd_ldap.c[214] start_next_dn_bind-Trying DN 1:CN=bryanfeng,CN=Users,DC=get,DC=local
fnbamd_ldap.c[547] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 12
fnbamd_ldap.c[241] start_search_grp-base:cn=Test Users,cn=Builtin,dc=get,dc=local filter:(&(objectcategory=group)(member=*))
fnbamd_ldap.c[615] fnbamd_ldap_get_result-Going to CHKGRP state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 12
fnbamd_ldap.c[277] chk_grp-checking group:'CN=Test Users,CN=Builtin,DC=get,DC=local', attr:'member'
fnbamd_ldap.c[282] chk_grp-Found 7 members
fnbamd_ldap.c[287] chk_grp-checking member:'CN=usertestou1,OU=Testou1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=user1ou1,OU=ou1,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=test2 test2,OU=Testou2,OU=Testou1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=test1,OU=Vancouver,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=bfeng,CN=Users,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=labuser,OU=lab,DC=get,DC=local'
fnbamd_ldap.c[287] chk_grp-checking member:'CN=bryan,CN=Users,DC=get,DC=local'
fnbamd_ldap.c[557]fnbamd_ldap_get_result-Error in chk_grp
fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=5
fnbamd_auth.c[943] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is ERROR
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 12
 

Binding authentication is OK, user identified in the group, wrong password.

fnbamd_fsm.c[739] handle_req-Rcvd auth req 14 for bfeng in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0)
fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35
fnbamd_ldap.c[144] start_search_dn-base:dc=get,dc=local filter:cn=bfeng
fnbamd_ldap.c[599] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 14
fnbamd_ldap.c[172] get_all_dn-Found DN 1:CN=bfeng,CN=Users,DC=get,DC=local
fnbamd_ldap.c[188] get_all_dn-Found 1 DN's
fnbamd_ldap.c[214] start_next_dn_bind-Trying DN 1:CN=bfeng,CN=Users,DC=get,DC=local
fnbamd_ldap.c[547] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[933] poll_auth-Continue pending for req 14
fnbamd_ldap.c[202] start_next_dn_bind-No more DN left
fnbamd_ldap.c[653]fnbamd_ldap_get_result-Auth denied
fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=1
fnbamd_auth.c[950] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is denied
fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 14


Internal Notes

Reviewers note: Based on article ID and submission date, this article appears to be part of April 2013 KB refresh activity. Therefore, moved to Style Review automatically, w/o Tech Review.

 


Related Articles

LDAP authentication using Active Directory user groups

Technical Tip: Explanation of LDAP attributes

Technical Tip : How to configure LDAP server and restrict access to certain groups in FortiOS 4.0MR2...

Technical Note : Using LDAP for Admin Access and Authorization - "wildcard" admin accounts