Created on
‎08-07-2007
12:00 AM
Edited on
‎03-26-2025
02:21 AM
By
Jean-Philippe_P
| Description | This article describes the example configurations for a FortiGate unit connecting to an LDAP server. |
| Scope |
FortiGate units running FortiOS firmware version 5.0 and above. |
| Solution |
It is important to recognize and identify correct LDAP components:
The components have the following structure on Windows Active Directory:
For an explanation of LDAP attributes, see the Knowledge Base article Explanation of LDAP Attributes.
LDAP user config on a FortiGate unit.
The DN should be configured following the sequence of the branch to the root.
- ou=Testou2 - ou=Tesetou1 - ou=Vancouver - dc=get - dc=local - cn=Users - dc=get - dc=local
Example 1.
The example demonstrates simple binding without group search. Is used to authenticate users directly reside in a certain container or OU.
The LDAP structure is get.local -> Vancouver.
All the users that need to be authenticated reside directly in Vancouver. In this example, Vancouver is an OU.
config user ldap
Note: Only users that directly reside in Vancouver are authenticated. Users that reside in other containers or child ous under Vancouver are not authenticated. If a user does not directly reside in Vancouver but it is a member of a group that directly resides in Vancouver, the user will NOT be authenticated.
Example 2.
Regular binding without a group search is used to authenticate users that may reside in different containers or organizational units under the root. For regular binding, a valid username and password have to be configured on the FortiGate unit for binding authentication. In this case, use a user 'user1ou1' in an organization unit 'ou1' under get.local for binding authentication.
The example configuration can authenticate users located in ANY containers, sub-containers, uus, and sub-ous under the root (get.local).
config user ldap
edit testldap set server 10.151.0.35 set cnid cn set dn dc=get,dc=local set type regular set username cn=user1ou1,ou=ou1,dc=get,dc=local set password <user1ou1_password> next end Example 3: Simple binding with group search.
A simple binding with group search can be used when all users that need to be authenticated belong to a certain user group, and ALL the members of the group reside directly in a same container or organizational unit.
The LDAP structure is get.local -> Builtin -> Test Users. In this example, Builtin is a container, and 'Test Users' is a user group. All the users that need to be authenticated are members of a user group, 'Test Users'. All the members of the 'Test Users' group are in the 'Users' container under the root (get.local).
config user ldap
For the above example in 4.0MR2 and above, see this article:
Example 4: Regular binding with group search.
Regular binding with group search is used to authenticate users in a certain user group whose members may reside in different containers or organization units, or members may reside in both parent container/ou and child container/ou.
For regular binding, a valid username and password have to be configured on the FortiGate unit for binding authentication.
In this case, it is used a user 'user1ou1' in an organization unit 'ou1' under get.local for binding authentication.
LDAP structure is get.local -> Builtin -> Test Users. In this example, Builtin is a container, and 'Test Users' is a user group.
config user ldap set username "cn=user1ou1,ou=ou1,dc=get,dc=local" next end
Tips:
In the above sample configurations, set type, set username, set password, and set group are CLI configurable only.
When an object name includes spaces like 'Test Users', it is necessary to enclose the text with double-quotes.
For example:
set group cn="Test Users",cn=Builtin,dc=get,dc=local
In ldap user config, the set filter command is used for group searching. By default, it is set to (&(objectcategory=group)(member=*)), which should be fine for LDAP on Windows AD. The filter used for group searching can be any string depending on the LDAP setup. For example:
(&(objectcategory=group)(member=*)) Default for Windows AD LDAP
Debugging LDAP.
Use the following diagnose commands to help in debugging issues with the LDAP setup:
diagnose debug application fnbamd –1
diagnose debug enable Simple binding without group search.
Successful:
fnbamd_fsm.c[739] handle_req-Rcvd auth req 16 for test1 in sslgrp opt=0 prot=6 Failed: wrong LDAP server IP or LDAP server not responding fnbamd_fsm.c[739] handle_req-Rcvd auth req 17 for test1 in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0) fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.32, result 10.151.0.32 fnbamd_ldap.c[465]fnbamd_ldap_start-Error in ldap_simple_bind fnbamd_auth.c[267]ldap_start-Failed to start ldap request for 10.151.0.32 fnbamd_fsm.c[149] create_auth_session-Error allocating session fnbamd_fsm.c[752] handle_req-Error creating session fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 17 Failed: wrong user, wrong password, wrong dn.
fnbamd_fsm.c[739] handle_req-Rcvd auth req 15 for bfeng in sslgrp opt=0 prot=6 Simple binding with group search.
Sample of a successful binding and group check.
fnbamd_fsm.c[739] handle_req-Rcvd auth req 2 for bfeng in ssl grp opt=0 prot=6 Group checking failure: the user is not part of the group configured.
fnbamd_fsm.c[739] handle_req-Rcvd auth req 3 for test in sslgrp opt=0 prot=6 The user does not exist, or wrong password, wrong DN in config.
fnbamd_fsm.c[739] handle_req-Rcvd auth req 4 for sdfsf in sslgrp opt=0 prot=6
Regular Binding without group search.
Binding authentication failure: wrong username or password, or user does not exist in LDAP.
fnbamd_fsm.c[739] handle_req-Rcvd auth req 9 for bfeng in sslgrp opt=0 prot=6 Binding authentication is passed OK, user authentication failure: wrong username or password.
fnbamd_fsm.c[739] handle_req-Rcvd auth req 8 for bfeng in sslgrp opt=0 prot=6 Regular binding with group search.
Successful binding and search.
fnbamd_fsm.c[739] handle_req-Rcvd auth req 13 for bfeng in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0) fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35 fnbamd_ldap.c[144] start_search_dn-base:dc=get,dc=local filter:cn=bfeng fnbamd_ldap.c[599] fnbamd_ldap_get_result-Going to SEARCH state fnbamd_fsm.c[933] poll_auth-Continue pending for req 13 fnbamd_ldap.c[172] get_all_dn-Found DN 1:CN=bfeng,CN=Users,DC=get,DC=local fnbamd_ldap.c[188] get_all_dn-Found 1 DN's fnbamd_ldap.c[214] start_next_dn_bind-Trying DN 1:CN=bfeng,CN=Users,DC=get,DC=local fnbamd_ldap.c[547] fnbamd_ldap_get_result-Going to REBIND state fnbamd_fsm.c[933] poll_auth-Continue pending for req 13 fnbamd_ldap.c[241] start_search_grp-base:cn=Test Users,cn=Builtin,dc=get,dc=local filter:(&(objectcategory=group)(member=*)) fnbamd_ldap.c[615] fnbamd_ldap_get_result-Going to CHKGRP state fnbamd_fsm.c[933] poll_auth-Continue pending for req 13 fnbamd_ldap.c[277] chk_grp-checking group:'CN=Test Users,CN=Builtin,DC=get,DC=local', attr:'member' fnbamd_ldap.c[282] chk_grp-Found 7 members fnbamd_ldap.c[287] chk_grp-checking member:'CN=usertestou1,OU=Testou1,OU=Vancouver,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=user1ou1,OU=ou1,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=test2 test2,OU=Testou2,OU=Testou1,OU=Vancouver,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=test1,OU=Vancouver,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=bfeng,CN=Users,DC=get,DC=local' fnbamd_ldap.c[296]chk_grp-Group membership is good fnbamd_ldap.c[561] fnbamd_ldap_get_result-Auth accepted fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth.c[956] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is SUCCESS fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 0 for req 13 Group search failed: user cannot be found in the group.
fnbamd_fsm.c[739] handle_req-Rcvd auth req 12 for bryanfeng in sslgrp opt=0 prot=6
fnbamd_auth.c[170] radius_start-Didn't find radius servers (0) fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 10.151.0.35, result 10.151.0.35 fnbamd_ldap.c[144] start_search_dn-base:dc=get,dc=local filter:cn=bryanfeng fnbamd_ldap.c[599] fnbamd_ldap_get_result-Going to SEARCH state fnbamd_fsm.c[933] poll_auth-Continue pending for req 12 fnbamd_ldap.c[172] get_all_dn-Found DN 1:CN=bryanfeng,CN=Users,DC=get,DC=local fnbamd_ldap.c[188] get_all_dn-Found 1 DN's fnbamd_ldap.c[214] start_next_dn_bind-Trying DN 1:CN=bryanfeng,CN=Users,DC=get,DC=local fnbamd_ldap.c[547] fnbamd_ldap_get_result-Going to REBIND state fnbamd_fsm.c[933] poll_auth-Continue pending for req 12 fnbamd_ldap.c[241] start_search_grp-base:cn=Test Users,cn=Builtin,dc=get,dc=local filter:(&(objectcategory=group)(member=*)) fnbamd_ldap.c[615] fnbamd_ldap_get_result-Going to CHKGRP state fnbamd_fsm.c[933] poll_auth-Continue pending for req 12 fnbamd_ldap.c[277] chk_grp-checking group:'CN=Test Users,CN=Builtin,DC=get,DC=local', attr:'member' fnbamd_ldap.c[282] chk_grp-Found 7 members fnbamd_ldap.c[287] chk_grp-checking member:'CN=usertestou1,OU=Testou1,OU=Vancouver,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=user1ou1,OU=ou1,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=test2 test2,OU=Testou2,OU=Testou1,OU=Vancouver,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=test1,OU=Vancouver,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=bfeng,CN=Users,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=labuser,OU=lab,DC=get,DC=local' fnbamd_ldap.c[287] chk_grp-checking member:'CN=bryan,CN=Users,DC=get,DC=local' fnbamd_ldap.c[557]fnbamd_ldap_get_result-Error in chk_grp fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=5 fnbamd_auth.c[943] fnbamd_auth_poll-Result for ldap svr 10.151.0.35 is ERROR fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 1 for req 12 Binding authentication is OK; the user is identified in the group, but the wrong password.
fnbamd_fsm.c[739] handle_req-Rcvd auth req 14 for bfeng in sslgrp opt=0 prot=6
Related articles: Technical Tip: Explanation of LDAP attributes Technical Note : Using LDAP for Admin Access and Authorization - "wildcard" admin accounts |
