Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sinamdar
Staff
Staff

Created on ‎06-23-2010 03:25 AM Edited on ‎09-15-2023 12:15 PM By Community Manager

Article Id 190870

Technical tip : How to create administrators which can be authenticated by a LDAP Server

Description

 

This article describes how to create FortiGate admin users which can be authenticated by a LDAP server.


Scope


Access FortiGate WebGUI using LDAP users

Solution

 

 

Configuration Method.

In order to use an LDAP server to authenticate administrators in a VDOM, the authentication has to be configured before the administrator accounts are created.

 

  1.  Configure an LDAP server

 

For example:

 
Anthony_E_0-1694805299483.png

 

# config user ldap
    edit "ldap"
        set server "10.40.9.78"
        set cnid "sAMAccountName"
        set dn "dc=dubailab,dc=lab"
        set type regular
        set username "cn=administrator,cn=users,dc=dubailab,dc=lab"
        set password p@ssword
    end

If only a particular group of members are to be allowed to login to the FortiGate as administrators then a FortiGate group must be configured to limit the access.


2.) Create a LDAP user group.



# config user group
    edit "salesgrp"
        set group-type firewall
        set authtimeout 0
        set auth-concurrent-override disable
        set http-digest-realm ''
        set member "ldap"
        # config match
            edit 1
                set server-name "ldap"
                set group-name "CN=salesgrp,CN=Users,DC=dubailab,DC=lab"
            next
        end
    next
end
3.) Configure an administrator to authenticate with a LDAP server.



# config system admin
    edit "ldap_admin"
        set remote-auth enable
        set accprofile "prof_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "salesgrp"
    next
end
The remainder of the parameters has to be left with the default values.

Note:
 
If 'wildcard' is not being enabled this means that not all members of the LDAP (AD) group are being allowed.
In this case it is necessary to configure the name with the same name that the user has on AD with their password.
 
 
Verifying, accessing the FortiGate WebGUI using LDAP user 'sales', login to FortiGate WebGUI using 'sales' user
 
 
 
Using below commands capture the debug output.

 

# diag debug enable
# diag debug application fnbamd -1
 
[59] ldap_dn_list_del_all-Del CN=sales,OU=new2,DC=dubailab,DC=lab
[3141] fnbamd_ldap_result-Result for ldap svr 10.40.9.78 is SUCCESS
[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=dubailab,DC=lab
[3152] fnbamd_ldap_result-Passed group matching
[1047] find_matched_usr_grps-Group 'salesgrp' passed group matching
[1048] find_matched_usr_grps-Add matched group 'salesgrp'(2)
[2887] fnbamd_fas_send_push-username:sales, vdom:root, usertype:0, tfc=0, auth_type:16

[181] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 295304432
[724] destroy_auth_session-delete session 295304432
[59] ldap_dn_list_del_all-Del CN=salesgrp,CN=Users,DC=dubailab,DC=lab
[59] ldap_dn_list_del_all-Del CN=Domain Users,CN=Users,DC=dubailab,DC=lab
Note:
The procedure above works only for LDAP, not for LDAPS.
25389
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.