Example — wildcard admin accounts – CLI
A wildcard admin account is an administrator account with the wildcard option enabled. This option allows multiple different remote administration accounts to match one local administration account, avoiding the need to set up individual admin accounts on the FortiGate unit. Instead multiple LDAP admin accounts will all be able to use one FortiGate admin account.
The initial benefit of wildcard admin accounts is fast configuration of the FortiGate unit’s administration account to work with your LDAP network. The many to one ratio saves on effort, and potential errors.
The ongoing benefit is that as long as the users on the LDAP system belong to that group, and the test admin user settings don’t change on the FortiGate unit, no other work is required. This point is important as it can help avoid system updates or changes that would otherwise require changes to the LDAP administrator account configuration. Even if a user is added to or removed from the LDAP group, no changes are required on the FortiGate unit.
Two potential issues with wildcard admin accounts are that multiple users may be logged on to the same account at the same time. This becomes an issue if they are changing the same information at the same time. The other potential issue is that security is reduced because multiple people have login access for the same account. If each user was assigned their own account, a hijacking of one account would not affect the other users.
Note that wildcard admin configuration also applies to RADIUS. When configuring for RADIUS, configure the RADIUS server, and RADIUS user group instead of LDAP. When using web-based management, wildcard admin is the only type of remote administrator account that does not require you to enter a password on account creation. That password is normally used when the remote authentication server is unavailable during authentication.
In this example, default values are used where possible. If a specific value is not mentioned, it is set to its default value.
Configuring the LDAP server
The important parts of this configuration are the username and group lines. The username is the domain administrator account. The group binding allows only the group with the name GRP to access.
To configure LDAP server – CLI:
config user ldap edit “ldap_server” set server “192.168.201.3” set cnid “sAMAccountName” set dn “DC=example,DC=com,DC=au”
set type regular
set username “CN=Administrator,CN=Users,DC=example,DC=COM” set password *
set group-member-check group-object set group-object-filter (&
(objectcategory=group)member=”CN=GRP,OU=training,DC=example,DC=COM”)) next
end
To configure the user group and add the LDAP server – CLI:
config user group edit “ldap_grp” set member “ldap” config match
edit 1 set server-name “ldap_server”
set group-name “CN=GRP,OU=training,DC=example,DC=COM”
next
end
next end
Configuring the admin account
The wildcard part of this example is only available in the CLI for admin configuration. When enabled, this allows all LDAP group members to login to the FortiGate unit without the need to create a separate admin account for each user. In effect the members of that group will each be able to login as “test”.
To configure the admin account – CLI:
config system admin edit “test” set remote-auth enable set accprofile “super_admin” set wildcard enable set remote-group “ldap_grp”
next
end
For troubleshooting, test that the admin account is operational, and see Troubleshooting LDAP on page 44.