Configuring an LDAP server

You can use the GUI or CLI console to configure an LDAP server in System Settings.

Requirements

• The LDAP server is ready and accessible
• The group members are configured properly

To configure an LDAP server with the GUI:

1. Go to System Settings > Remote Authentication Server.
2. Click Create New > LDAP Server.
3. Configure the LDAP server settings, and then click OK.

   

   Name		Enter a name to identify the LDAP server.
   Server Name/IP		Enter the IP address or fully qualified domain name of the LDAP server.
   Port		Enter the port for LDAP traffic. The default port is 389.
   Common Name Identifier		The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as UID.
   Distinguished Name		The distinguished name is used to look up entries on the LDAP server. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Clicking the query distinguished name icon will query the LDAP server for the name and open the LDAP Distinguished Name Query window to display the results.
   Bind Type		Select the type of binding for LDAP authentication: Simple, Anonymous, or Regular.
   	User DN	When the Bind Type is set to Regular, enter the user DN.
   	Password	When the Bind Type is set to Regular, enter the password.
   Secure Connection		Select to use a secure LDAP server connection for authentication.
   	Protocol	When Secure Connection is enabled, select either LDAPS or STARTTLS.
   	Certificate	When Secure Connection is enabled, select the certificate from the dropdown list.
   Administrative Domain		Choose the ADOMs that this server will be linked to for reporting: All ADOMs (default), or Specify for specific ADOMs.
   Advanced Options
   	adom-attr	Specify an attribute for the ADOM.
   	attributes	Specify the attributes such as member, uniquemember, or memberuid.
   	connect-timeout	Specify the connection timeout in millisecond.
   	filter	Specify the filter in the format (objectclass=*)
   	group	Specify the name of the LDAP group.
   	memberof-attr	Specify the value for this attribute. This value must match the attribute of the group in LDAP Server. All users part of the LDAP group with the attribute matching the memberof-attr will inherit the administrative permissions specified for this group.
   	profile-attr	Specify the attribute for this profile.
   	secondary-server	Specify a secondary server.
   	tertiary-server	Specify a tertiary server.

To configure an LDAP server with the CLI console:

Click the CLI Console icon on the right side of the banner on any page.

The following script demonstrates how to create an LDAP server with the CLI console:

config system admin ldap

(ldap)# edit ldap1

(ldap1)# get

name : ldap1

server : 10.2.129.132

secondary-server : (null)

tertiary-server : (null)

cnid : cn

dn : ou=groups,dc=fortinet,dc=com

port : 389

type : regular

username : cn=admin,dc=fortinet,dc=com

password : *

memberof-attr : (null)

profile-attr : (null)

adom-attr : (null)

group : (null)

filter : (objectclass=*)

attributes : uniquemember

secure : disable

connect-timeout : 500

adom:

== [ all_adoms ]

adom-name: all_adoms

(ldap1)# end