Description
This article describes the steps to configure the LDAP server in FortiGate and how to map LDAP users/groups to Firewall policies.
End users can then see a firewall popup on the browser that will ask for authentication prior to using the service.
Note that such a policy will also not allow DNS queries if the user is not authenticated.
End users must have some way of resolving the destination address that would match this policy.
If DNS does not work, the users will not be able to authenticate as the HTTP connection to the destination cannot be made.
Scope
FortiGate.
Solution
To configure the FortiGate unit for LDAP authentication – Using GUI:
Go to User & Device -> Authentication -> LDAP Servers and select Create New.
For new Firmware 7.0 & above the path would be:
- Go to User & Authentication -> LDAP Servers and select Create New.
-
Enter a Name for the LDAP server.
-
In Server Name/IP enter the server’s FQDN or IP address.
-
If necessary, change the Server Port number. The default is port 389.
-
Enter the Common Name Identifier (20 characters maximum).
cn is the default, and most of the customers will be using sAMAccountName ( see 'Common Name Identifier' configured as 'sAMAccountName' ).
- CN stands for Common Name which is an attribute name in LDAP.
- sAMAccountName is another LDAP attribute and can reference the login name (about the Windows LDAP server).
Make sure to get the info on which attributes the end users are using against the LDAP server as the values of the attributes can look different, for example, 'usert' vs. 'TestUser'.
- For a Distinguished name, select browse and select the main domain (Select the domain once the Username and Password are entered as per steps 8 and 9).
- In Bind Type, select Regular.
- In the Username field, enter the LDAP administrator's account name along with the domain (Ref. Screenshot below). In some cases, the domain\username format may not work. Use the distinguishedName from the domain controller.
Copy the distinguishedName value from the Windows Domain Controller by opening Active Directory Users and Computers, then selecting the View menu and Advanced Features. After, locate and 'right-click' the desired credentials and select Properties. Next, select the Attribute Editor tab and copy the value of distinguishedName. - In the Password field, enter the LDAP administrator's account password.
- Select OK.
edit LDAP
set server "172.16.16.100"
set cnid "cn"
set dn "dc=tac,dc=local"
set username TAC\\Administrator
set password xxxxx
set port 389
next
end
- Go to User & Authentication -> User Definition and select Create New.
-
On 'User Type', choose 'Remote LDAP user' and select 'Next'.
-
On 'LDAP Server', select the LDAP server name and select 'Next'.
-
Select the User. 'Right-click', select + Add Selected, and select 'Submit'.
Imported Remote LDAP user: -
Once Users/Groups are imported, use them in a firewall policy.
- LDAP authentication supports HTTP, HTTPS, FTP, and Telnet Protocols only.
- To integrate the Novell eDirectory with the FortiGate, the 'member-attr' setting must be enabled for the LDAP settings (see configuration details LDAP-Server-Settings-to-Support-Novell-eDirectory).
- If using Two Factor Authentication(2FA) with an LDAP remote user, make sure to select the option 'set username-sensitivity disable' in the CLI, as the 2FA will otherwise not work correctly and will be bypassed if the user tries to login with a random capital letter in the username. This is due to CVE-2020-12812, and the option 'set username-sensitivity disable' was added as a solution to this CVE. For more information, see Technical Tip: Description of CVE-2020-12812 (bypassing two-factor authentication for LDAP users) an....
edit TestUser
set type ldap
set ldap-server LDAP1
set two-factor fortitoken
set fortitoken FTKxxxxxxxxxxxxxxxxxx
set username-sensitivity disable
end
