Fortinet Community

Description

This article provides steps to configure the LDAP server in FortiGate and how to map LDAP users/groups to Firewall policies.

End users can then see a firewall popup on the browser that will ask for authentication prior using the service.

Note that such a policy will also not allow DNS queries if the user is not authenticated.

End users must have some way of resolving the destination address that would match this policy.

If DNS does not work, the users will not be able to authenticate as the HTTP connection to the destination cannot be made.

Scope

FortiGate.

Solution

To configure the FortiGate unit for LDAP authentication – Using GUI:

1) Go to User & Device -> Authentication -> LDAP Servers and select Create New.

2) Enter a Name for the LDAP server.

3) In Server Name/IP enter the server’s FQDN or IP address.

4) If necessary, change the Server Port number. The default is port 389.

5) Enter the Common Name Identifier (20 characters maximum).
      cn is the default, and most of the customers will be using SAMAccountName.

- CN stands for Common Name which is an attribute name in LDAP.

- sAMAccountName is another LDAP attribute and can reference the logon name (in reference to windows LDAP server).

Make sure to get the info which attribute the end users are using agains the LDAP server as the values of the attributes can look different, for example 'usert' vs. 'TestUser'.

6) For a Distinguished name, select browse and select the main domain (Select the domain once the Username and Password are entered as per step 8 and 9).

7) In Bind Type, select Regular.

8) In the Username field, enter the LDAP administrator's account name along with the domain (Ref.Screenshot below).

9) In the Password field, enter the LDAP administrator's account password.

10) Select OK.