Moving LDAP branches in the directory tree
At times you may want to rearrange the hierarchy of the LDAP structure. For example a department may be moved from one country to another.
While it is easy to move a branch in the LDAP tree, all systems that use this information will need to be updated to the new structure or they will not be able to authenticate users.
To move an LDAP branch:
- From the LDAP directory tree, select Expand All and find the branch that is to be moved.
- Click and drag the branch from its current location to its new location
When the branch is hovered above a valid location, an arrow will appear to the left of the current branch to indicate where the new branch will be inserted. It will be inserted below the entry with the arrow.
Removing entries from the directory tree
Adding entries to the directory tree involves placing the attribute at the proper place. However, when removing entries it is possible to remove multiple branches at one time.
To remove an entry from the LDAP directory tree:
- From the LDAP directory tree, select Expand All and find the branch that is to be removed.
- Select the red X to the right of the entry name.
You will be prompted to confirm your deletion. Part of the prompt displays the message of all the entries that will be removed with this deletion. Ensure this is the level that you intend to delete.
- Select Yes, I’m sure to delete the entry.
If the deletion was successful there will be a green check next to the successful message above the LDAP directory and the entry will be removed from the tree.
Configuring a FortiGate unit for FortiAuthenticator LDAP
When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate units to access the FortiAuthenticator as an LDAP server and authenticate users.
To configure the FortiGate unit for LDAP authentication:
- On the FortiGate unit, go to User & Device > Authentication > LDAP Server and select Create New.
- Enter the following information:
Name | Enter a name to identify the FortiAuthenticator LDAP server on the
FortiGate unit. |
Server Name / IP | Enter the FQDN or IP address of the FortiAuthenticator unit. |
Server Port | Leave at default (389). |
Common Name Identifier | Enter uid, the user ID. |
Distinguished Name | Enter the LDAP node where the user account entries can be found. For example, ou=People,dc=example,dc=com |
Bind Type | The FortiGate unit can be configured to use one of three types of binding:
l anonymous – bind using anonymous user search l regular – bind using username/password and then search l simple – bind using a simple password authentication without a search You can use simple authentication if the user records all fall under one distinguished name (DN). If the users are under more than one DN, use the anonymous or regular type, which can search the entire LDAP database for the required username. If your LDAP server requires authentication to perform searches, use the regular type and provide values for User DN and Password. |
FortiAuthenticator Agents
Secure Connection | If you select Secure Connection, you must select LDAPS or STARTTLS protocol and the CA security certificate that verifies the FortiAuthenticator unit’s identity. If you select LDAPS protocol, the Server Port will change to 636. |
- Select OK to apply your settings.
- Add the LDAP server to a user group. Specify that user group in identity-based security policies where you require authentication.
FortiAuthenticator Agents
FortiAuthenticator provides multiple agents for use in two-factor authentication:
- FortiAuthenticator Agent for Microsoft Windows is a credential provider plug-in that allows the Windows login process to be enhanced with a one time password, validated by FortiAuthenticator.
- FortiAuthenticator Agent for Outlook Web Access is a plug-in that allows the Outlook Web login to be enhanced with a one time password, validated by FortiAuthenticator.
Both Agents can be downloaded from the FortiAuthenticator GUI from Authentication > FortiAuthenticator Agent.
I am trying to get uses to be able to do a password change when they VPN into the network after their password expire’s.
One issue i am running into is on the Authenticaticator under monitor the status of the Connection only says “Joined AD” and “not connected” do you know why ?
I am experiencing the same problem