Supported versions
The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight Directory Access Protocol v3, for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3, including FortiAuthenticator. In addition, FortiGate LDAP supports LDAP over SSL/TLS, which can be configured only in the CLI.
FortiGate LDAP does not support proprietary functionality, such as notification of password expiration, which is available from some LDAP servers. FortiGate LDAP does not supply information to the user about why authentication failed.
LDAP user authentication is supported for PPTP, L2TP, IPsec VPN, and firewall authentication.
However, with PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is supported, while CHAP (Challenge Handshake Authentication Protocol) is not.
LDAP directory organization
To configure your FortiGate unit to work with an LDAP server, you need to understand the organization of the information on the server.
The top of the hierarchy is the organization itself. Usually this is defined as Domain Component (DC), a DNS domain. If the name contains a dot, such as example.com, it is written as two parts separated by a comma: dc=example,dc=com.
In this example, Common Name (CN) identifiers reside at the Organization Unit (OU) level, just below DC. The Distinguished Name (DN) is ou=People,dc=example,dc=com.
LDAP object hierarchy
In addition to the DN, the FortiGate unit needs an identifier for the individual person. Although the FortiGate unit GUI calls this the Common Name (CN), the identifier you use is not necessarily CN. On some servers, CN is the full name of a person. It might be more convenient to use the same identifier used on the local computer network. In this example, User ID (UID) is used.
Locating your identifier in the hierarchy
You need to determine the levels of the hierarchy from the top to the level that contain the identifier you want to use. This defines the DN that the FortiGate unit uses to search the LDAP database. Frequently used distinguished name elements include:
- uid (user identification)
- pw (password)
- cn (common name)
- ou (organizational unit)
- o (organization)
- c (country)
One way to test this is with a text-based LDAP client program. For example, OpenLDAP includes a client, ldapsearch, that you can use for this purpose. Enter the following at the command line:
ldapsearch -x ‘(objectclass=*)’
The output is lengthy, but the information you need is in the first few lines:
version: 2
#
# filter: (objectclass=*)
# requesting: ALL
dn: dc=example,dc=com dc: example objectClass: top objectClass: domain
dn: ou=People,dc=example,dc=com ou: People
objectClass: top
objectClass: organizationalUnit
…
dn: uid=tbrown,ou=People,dc=example,dc=com uid: tbrown
cn: Tom Brown
In the output above, you can see tbrown (uid) and Tom Brown(cn). Also note the dn is ou=People, dc=example, dc=com.
Configuring the FortiGate unit to use an LDAP server
After you determine the common name and distinguished name identifiers and the domain name or IP address of the LDAP server, you can configure the server on the FortiGate unit. The maximum number of remote LDAP servers that can be configured is 10.
One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see Local and remote users on page 475.