FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FiFa_FTNT
Staff
Staff
Article Id 197097

Description

 

This article desribes how to configure an LDAP authentication server.


Scope

 

Windows 2008 R2, 2012.


Solution

 

Definition:

https://auth0.com/docs/authenticate/protocols/ldap-protocol#:~:text=The%20Lightweight%20Directory%20...


The FortiGate LDAP client sends these requests:

Bind: Authentication.
StartTLS: Encryption.
Search: Query.
The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services.

The FortiGate LDAP client sends these requests:

Bind: Authentication.
StartTLS: Encryption.
Search: Query.
Unbind: Close the connection.

LDAP structure.

The LDAP structure is similar to a tree that contains entries (objects) in each branch.
Each entry has a unique ID, the Distinguished Name (DN).
Each entry also has attributes.
Each attribute has a name and one or more values.
The attributes are defined in a directory schema.

LDAP structure example.


fhajek_FD37516_tn_FD37516-1.jpg

LDAP Configuration

Bind types:
  • Simple: bind without user search. It can be used only if all the users belong to the same 'branch'.
  • Anonymous: bind with user search. It can be used when users are in the different 'branches' and only if the server allows 'anonymous search'.
  • Regular: bind with user search. It can be used when users are in the different 'branches' and the server does not allows 'anonymous search'.

Simple bind configuration


Simple bind example.


Anonymous bind configuration.


Anonymous bind example.


Regular bind configuration.


Regular bind example.


To know the 'Distinguished Name', it is possible to run either of these two commands from the LDAP server’s command prompt:

dsquery user –name <full_user_name>
dsquery user –samid <login_username>

For example, if the following output appears:

    C:\> dsquery user –samid jsmith
    “cn=John Smith,cn=users,dc=tac,dc=ottawa,dc=fortinet,dc=com”

It is possible to configure the 'Distinguished Name' as:
dc=tac,dc=ottawa,dc=fortinet,dc=com

To know the 'User DN' (or Bind DN), it is possible to run either of these two commands in the LDAP server’s command prompt:
 

dsquery user –name <admin_full_user_name>
dsquery user –samid <admin_login_username>

The complete DN has to be used as 'User DN'.

For example, if the following output appears:

    C:\> dsquery user –samid administrator
    cn=Administrator,cn=users,dc=tac,dc=ottawa,dc=fortinet,dc=com

Configure the 'User DN' as:
    cn=Administrator,cn=users,dc=tac,dc=ottawa,dc=fortinet,dc=com

Regular bind configuration summary.


In most of the schemas, the user entries have an attribute containing the DNS of the groups to which the user belongs.
By default, the FortiGate will try to get the group list from the ‘memberOf’ attribute (Microsoft AD).  If the group information is stored in a different attribute, we must set the attribute name using the CLI:

config user ldap
    edit <Server_name>
        set member-attr <attribute_name>

Group query - Microsoft AD case.

fhajek_FD37516_tn_FD37516-9.jpg

Group query - Microsoft AD case.


 

Related article:

FortiGate LDAP Server configuration examples