FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sinamdar
Staff
Staff
Description
How to configure FortiGate groups with LDAP server and limit the access to only certain groups.
This can be used for local or remote authentication of VPN SSL services.

Scope
FortiOS 4.0MR2 and above

Solution
Group restriction is defined in the user group settings under "config match" from the CLI .
Here below is an example.

Example of LDAP server settings :

FGT# config user ldap
FGT# (ldap) # edit ldap_server
FGT# (ldap_server) # get
name                  : ldap_server
server                : <server IP>
cnid                  : cn
dn                    : DC=xyz,DC=com    // here you can put more specific location using OU's to limit the search
port                  : 389
type                  : regular
username              : <domain administrator in ldap style>
password              : *
filter                : (&(objectcategory=group)(member=*))
secure                : disable
password-expiry-warning: disable
password-renewal      : disable
member-attr           : memberOf    //this is for Windows and Open LDAP, groupMembership for eDirectory



FortiGate group configuration (example for an SSL portal) :

config user group
    edit <group_name>
        set group-type firewall
        set sslvpn-portal
"<portal>"     // select the portal if this group is for SSL VPN
            set member "ldap_server"     // this will be the ldap server
            config match                 // new key word to restrict the group
                edit 1
                    set server-name "
ldap_server"             // the ldap server
                    set group-name "cn=grp,dc=xyz,dc=com"     // the group
                next
            end
    next
end




Now this group can be used in the firewall policies to allow the group members of "grp" :

config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set identity-based enable
        set nat enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                        set groups "group_name"
                        set service "ANY"
                next
            end
    next
end



Internal Notes
Basically LDAP design got changed under 4.2, we can’t configure and limit the server to a single group by using “group” key as before.
The previous way (<4.2)  to do it was : set ldap-memberof "cn=grp ,ou=support,dc=lab,dc=com"

Contributors