FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sinamdar
Staff
Staff

Description
How to configure admin users with remote server [LDAP] having the wildcard option enabled, avoiding individual admin accounts being setup on the FortiGate unit.
Scope

Solution

1.  LDAP server CLI configuration.

config user ldap
    edit "ldap"         //ldap account name
    set server <ldap server ip>
    set cnid "cn"            // Can use saMAccountName too
    set dn "DC=XYZ,DC=COM"               //root DN
    set type regular
    set username "CN=Administrator,CN=Users,DC=XYZ,DC=COM"     // domain administrator account to bind and search
    set password *         //administrator password
    set group "CN=GRP,OU=X,DC=XYZ,DC=COM" //group binding, so that you can allow only a group to access
    set filter ''           //don't use any filter here for this scenario
   next
end


2.  Create User group and make this LDAP server a member of it.

3.  Configure the administrator account as follows.

It is recommended to create another admin user entry from LDAP, and keep the built in (local) "admin" account as backup.
config system admin
    edit "test"   
    set remote-auth enable      //enabling remote auth mode
    set accprofile "super_admin"     // access profile
    set wildcard enable     // this will allow all group members to login to FGT, no need to create other account for each user
    set remote-group "ldap"    //User group which has the LDAP server as member
   next
end
Leave all other settings with their default values.
Try to login with any user who belongs to the allowed AD group through the LDAP server; confirm that the "admin" account is also working.

LDAP troubleshooting steps can be found in the related article at the end of this page "FortiGate LDAP Configurations and examples" and "Troubleshooting Note : FSAE and LDAP - FortiGate error message 'Query Failed'".



Related Articles

Technical Note: FortiGate LDAP configuration examples

Troubleshooting Note: LDAP - FortiGate error message 'Query Failed'

Contributors