Configuring the FortiGate unit to use an LDAP server
After you determine the common name and distinguished name identifiers and the domain name or IP address of the LDAP server, you can configure the server on the FortiGate unit. The maximum number of remote LDAP servers that can be configured is 10.
One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see Local and remote users on page 54.
To configure the FortiGate unit for LDAP authentication – web-based manager:
- Go to User & Device > LDAP Servers and select Create New.
- Enter a Name for the LDAP server.
- In Server Name/IP enter the server’s FQDN or IP address.
- If necessary, change the Server Port The default is port 389.
- Enter the Common Name Identifier (20 characters maximum).
cn is the default, and is used by most LDAP servers.
- In the Distinguished Name field, enter the base distinguished name for the server using the correct X.500 or LDAP format.
The FortiGate unit passes this distinguished name unchanged to the server. The maximum number of characters is 512.
If you don’t know the distinguished name, leave the field blank and select the Query icon to the right of the field. See Using the Query icon on page 40.
- In the Distinguished Name field, enter the base distinguished name for the server using the correct X.500 or LDAP format.
The FortiGate unit passes this distinguished name unchanged to the server. The maximum number of characters is 512.
If you don’t know the distinguished name, leave the field blank and select the Query icon to the right of the field.
See Using the Query icon on page 40.
- In Bind Type, select Regular.
- In User DN, enter the LDAP administrator’s distinguished name.
- In Password, enter the LDAP administrator’s password.
- Select OK.
To verify your Distinguished Name field is correct, you can select the Test button. If your DN field entry is valid, you will see the part of the LDAP database it defines. If your DN field entry is not valid, it will display an error message and return no information.
For detailed information about configuration options for LDAP servers, see the Online Help on your FortiGate unit or the FortiGate CLI Reference.
To configure the FortiGate unit for LDAP authentication – CLI example:
config user ldap edit ourLDAPsrv set server 10.11.101.160
set cnid cn
set dn cn=users,dc=office,dc=example,dc=com
set type regular
set username cn=administrator,cn=users,dc=office,dc=example,dc=com set password w5AiGVMLkgyPQ set password-expiry-warning enable set password-renewal enable
end
password-expiry-warning and password-renewal
In SSLVPN, when an LDAP user is connecting to the LDAP server it is possible for them to receive any pending password expiry or renewal warnings. When the password renewal or expiry warning exists, SSLVPN users will see a prompt allowing them to change their password.
password-expiry-warning allows FortiOS to detect from the LDAP server when a password is expiring or has expired using server controls or error codes.
password-renewal allows FortiOS to perform the online LDAP password renewal operations the LDAP server expects.
On an OpenLDAP server, when a user attempts to logon with an expired password they are allowed to logon but only to change their password.
When changing passwords on a Windows AD system, the connection must be SSL-protected.
UPN processing method and filter name
The following CLI commands available under config user ldap allow you to keep or strip the domain string of UPN in the token as well as the search name for this kind of UPN.
CLI syntax:
config user ldap set account-key-processing set account-key-name
end
Using the Query icon
The LDAP Distinguished Name Query list displays the LDAP directory tree for the LDAP server connected to the FortiGate unit. This helps you to determine the appropriate entry for the DN field. To see the distinguished name associated with the Common Name identifier, select the Expand icon next to the CN identifier. Select the DN from the list. The DN you select is displayed in the Distinguished Name field. Select OK and the Distinguished Name you selected will be saved in the Distinguished Name field of the LDAP Server configuration.
To see the users within the LDAP Server user group for the selected Distinguished Name, expand the Distinguished Name in the LDAP Distinguished Name Query tree.
LDAP server Distinguished Name Query tree
Non-blocking LDAP authentication
To support non-blocking LDAP authentication, fnbamd will create its own event-driven connection with LDAP servers over LDAP/LDAPS/STARTTLS, make it non-blocking, do CRL checking if necessary, and compose all LDAP requests using liblber (including bind, unbind, search, password renewal, password query, send request and receive response, and parse response). The whole process is done in one connection.
This doesn’t change any openLDAP implementation but moves some data structure definitions and API definitions from some internal header files to public header files.