FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 191340

Description

 

This article describes the LDAP attributes in FortiOS for Active Directory Integration.

 

LDAP, or Lightweight Directory Access Protocol, is a protocol used to access directory listings over TCP/IP. In the context of FortiOS, LDAP is often used to integrate with Microsoft's Active Directory (AD) for authentication and identity solutions.

 

Scope

 

FortiGate, LDAP.

 

Solution

 

When configuring FortiOS to communicate with Active Directory, there are several LDAP attributes that can be encountered. Here is a deeper dive into the most commonly used ones and some additional attributes:

 

cn (Common Name).

Represents an individual object, like a user or a device.
In FortiOS, the 'cn' attribute without the equals sign indicates that FortiOS should use whatever the user provides during the authentication prompt.
It corresponds to the Common Name attribute for that user in AD. This is typically the user's full name in AD, but can also be other values, depending on the AD schema.


ou (Organizational Unit).

Represents a container that can hold users, groups, and other organizational units.
It is crucial to remember that the default 'Users' container in AD is not an OU. This is a common misconception.
In cases where there are sub-OUs beneath a top-level OU, and it is wanted to restrict search operations to just that sub-OU, simply list multiple 'ou' values in the search string.


dc (Domain Components).

Breaks down the domain into its constituent parts.
Each part of the domain name must be distinctly listed.
For instance, for the domain 'fortinet.com', the components would be represented as dc=fortinet, dc=com.


sAMAccountName.

Represents the logon name used to support clients and servers from previous versions of Windows.
It is the username that users often input when logging into the workstations or when accessing shared resources.


objectClass.

Defines the kind of object in LDAP.
For user objects, the objectClass would typically be 'user'.


memberOf.

This attribute determines the groups that a user is a part of.
Can be used in FortiOS to apply policies or grant access based on group membership.


userPrincipalName (UPN).

The userPrincipalName is an attribute that represents the user's login name in the format username@domain.com.
In larger environments, where multiple domains or forests exist, the UPN becomes crucial as it unequivocally identifies a user.


Additional Notes:
When setting up LDAP integration in FortiOS, always ensure the search base and search filters are configured correctly to avoid potential performance issues. Misconfigurations can lead to excessive or lengthy queries which can impact both the FortiGate and the AD server's performance.

Contributors