Description
This article describes how to set up FortiAuthenticator to function as a LDAP server.
Solution
1) Creating the user and user group on the FortiAuthenticator
On the FortiAuthenticator, go to Authentication -> User Management -> Local Users and select 'Create New'.
Enter a name for the user, enter and confirm a password, and be sure to disable Allow RADIUS authentication — RADIUS authentication is not required for this process.
Set Role as User, and select 'OK'. New options will appear.
Make sure to enable Allow LDAP browsing — the user will not be able to connect to the FortiGate otherwise.
This article describes how to set up FortiAuthenticator to function as a LDAP server.
Solution
1) Creating the user and user group on the FortiAuthenticator
On the FortiAuthenticator, go to Authentication -> User Management -> Local Users and select 'Create New'.
Enter a name for the user, enter and confirm a password, and be sure to disable Allow RADIUS authentication — RADIUS authentication is not required for this process.
Set Role as User, and select 'OK'. New options will appear.
Make sure to enable Allow LDAP browsing — the user will not be able to connect to the FortiGate otherwise.
Create another user with the same settings.
Later, use 'jgarrick' on the FortiGate to query the LDAP directory tree on FortiAuthenticator, and use 'bwayne' credentials to connect to the VPN tunnel.
Next, go to Authentication -> User Management -> User Groups, and create a user group for the FortiGate users.
Next, go to Authentication -> User Management -> User Groups, and create a user group for the FortiGate users.
Add the desired users to the group.
2) Creating the LDAP directory tree on the FortiAuthenticator.
- Go to Authentication -> LDAP Service -> Directory Tree, and create a Distinguished Name (DN). A DN is made up of Domain Components (DC).
Both the users and user group created earlier are the User ID (UID) and the Common Name (CN) in the LDAP Directory Tree.
- Create an Organizational Unit (OU), and a Common Name (CN). Under the cn=HeadOffice entry, add UIDs for the users.
If a user is selected, the full DN of the LDAP server will be visible.
- Go to Authentication -> LDAP Service -> Directory Tree, and create a Distinguished Name (DN). A DN is made up of Domain Components (DC).
Both the users and user group created earlier are the User ID (UID) and the Common Name (CN) in the LDAP Directory Tree.
- Create an Organizational Unit (OU), and a Common Name (CN). Under the cn=HeadOffice entry, add UIDs for the users.
If a user is selected, the full DN of the LDAP server will be visible.
Later, use 'jgarrick' on the FortiGate to query the LDAP directory tree on FortiAuthenticator, and use 'bwayne' credentials to connect to the VPN tunnel.
3) Connecting the FortiGate to the LDAP server
- On the FortiGate, go to User & Device -> LDAP Servers and select 'Create New'.
- Enter a name for the LDAP server connection.
- Set Server IP/Name to the IP of the FortiAuthenticator, and set the Common Name Identifier to uid.
- Set Distinguished Name to dc=fortinet,dc=com, and set the Bind Type to Regular.
- Enter the user DN for 'jgarrick' of the LDAP server, and enter the user's Password.
The DN is an account that the FortiGate uses to query the LDAP server.
3) Connecting the FortiGate to the LDAP server
- On the FortiGate, go to User & Device -> LDAP Servers and select 'Create New'.
- Enter a name for the LDAP server connection.
- Set Server IP/Name to the IP of the FortiAuthenticator, and set the Common Name Identifier to uid.
- Set Distinguished Name to dc=fortinet,dc=com, and set the Bind Type to Regular.
- Enter the user DN for 'jgarrick' of the LDAP server, and enter the user's Password.
The DN is an account that the FortiGate uses to query the LDAP server.
- Select 'Test Connectivity' to determine a successful connection.
- Then select 'Test User Credentials' to query the LDAP directory using 'jgarrick' credentials. The query is successful.
- Then select 'Test User Credentials' to query the LDAP directory using 'jgarrick' credentials. The query is successful.
4) Creating the LDAP user group on the FortiGate.
- Go to User & Device -> User Groups and select 'Create New'.
- Enter a name for the user group. Under Remote Groups select 'Add'.
- Go to User & Device -> User Groups and select 'Create New'.
- Enter a name for the user group. Under Remote Groups select 'Add'.
- Select 'LDAPserve'r under the Remote Server drop down.
- In the new Add Group Match window, select 'HeadOffice' under the Groups tab, and select 'Add Selected'. The group will be added to the Selected tab.
- In the new Add Group Match window, select 'HeadOffice' under the Groups tab, and select 'Add Selected'. The group will be added to the Selected tab.
- Select 'OK'.
- 'LDAPserver' has been added to the LDAP group.
- Select 'OK'.
