Configuring the FortiGate unit to use an LDAP server

After you determine the common name and distinguished name identifiers and the domain name or IP address of the LDAP server, you can configure the server on the FortiGate unit. The maximum number of remote LDAP servers that can be configured is 10.

One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see Local and remote users on page 54.

To configure the FortiGate unit for LDAP authentication – web-based manager:

  1. Go to User & Device > LDAP Servers and select Create New.
  2. Enter a Name for the LDAP server.
  3. In Server Name/IP enter the server’s FQDN or IP address.
  4. If necessary, change the Server Port The default is port 389.
  5. Enter the Common Name Identifier (20 characters maximum).

cn is the default, and is used by most LDAP servers.

  1. In the Distinguished Name field, enter the base distinguished name for the server using the correct X.500 or LDAP format.

The FortiGate unit passes this distinguished name unchanged to the server. The maximum number of characters is 512.

If you don’t know the distinguished name, leave the field blank and select the Query icon to the right of the field. See Using the Query icon on page 40.

  1. In the Distinguished Name field, enter the base distinguished name for the server using the correct X.500 or LDAP format.

The FortiGate unit passes this distinguished name unchanged to the server. The maximum number of characters is 512.

If you don’t know the distinguished name, leave the field blank and select the Query icon to the right of the field.

See Using the Query icon on page 40.

  1. In Bind Type, select Regular.
  2. In User DN, enter the LDAP administrator’s distinguished name.
  3. In Password, enter the LDAP administrator’s password.
  4. Select OK.

To verify your Distinguished Name field is correct, you can select the Test button. If your DN field entry is valid, you will see the part of the LDAP database it defines. If your DN field entry is not valid, it will display an error message and return no information.

For detailed information about configuration options for LDAP servers, see the Online Help on your FortiGate unit or the FortiGate CLI Reference.

To configure the FortiGate unit for LDAP authentication – CLI example:

config user ldap edit ourLDAPsrv set server 10.11.101.160

set cnid cn

set dn cn=users,dc=office,dc=example,dc=com

set type regular

set username cn=administrator,cn=users,dc=office,dc=example,dc=com set password w5AiGVMLkgyPQ set password-expiry-warning enable set password-renewal enable

end

password-expiry-warning and password-renewal

In SSLVPN, when an LDAP user is connecting to the LDAP server it is possible for them to receive any pending password expiry or renewal warnings. When the password renewal or expiry warning exists, SSLVPN users will see a prompt allowing them to change their password.

password-expiry-warning allows FortiOS to detect from the LDAP server when a password is expiring or has expired using server controls or error codes.

password-renewal allows FortiOS to perform the online LDAP password renewal operations the LDAP server expects.

On an OpenLDAP server, when a user attempts to logon with an expired password they are allowed to logon but only to change their password.

When changing passwords on a Windows AD system, the connection must be SSL-protected.

UPN processing method and filter name

The following CLI commands available under config user ldap allow you to keep or strip the domain string of UPN in the token as well as the search name for this kind of UPN.

CLI syntax:

config user ldap set account-key-processing set account-key-name

end

Using the Query icon

The LDAP Distinguished Name Query list displays the LDAP directory tree for the LDAP server connected to the FortiGate unit. This helps you to determine the appropriate entry for the DN field. To see the distinguished name associated with the Common Name identifier, select the Expand icon next to the CN identifier. Select the DN from the list. The DN you select is displayed in the Distinguished Name field. Select OK and the Distinguished Name you selected will be saved in the Distinguished Name field of the LDAP Server configuration.

To see the users within the LDAP Server user group for the selected Distinguished Name, expand the Distinguished Name in the LDAP Distinguished Name Query tree.

LDAP server Distinguished Name Query tree

Non-blocking LDAP authentication

To support non-blocking LDAP authentication, fnbamd will create its own event-driven connection with LDAP servers over LDAP/LDAPS/STARTTLS, make it non-blocking, do CRL checking if necessary, and compose all LDAP requests using liblber (including bind, unbind, search, password renewal, password query, send request and receive response, and parse response). The whole process is done in one connection.

This doesn’t change any openLDAP implementation but moves some data structure definitions and API definitions from some internal header files to public header files.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.