Fortinet black logo

LDAP service

LDAP service

LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network.

In the LDAP protocol there are a number of operations a client can request such as search, compare, and add or delete an entry. Binding is the operation where the LDAP server authenticates the user. If the user is successfully authenticated, binding allows the user access to the LDAP server based on the user’s permissions.

General

To configure general LDAP service settings, go to Authentication > LDAP Service > General.

LDAP Server Settings
LDAP server certificate Select the certificate that the LDAP server will present from the dropdown menu.
Certificate authority type Select either Local CA or Trusted CA.
CA certificate that issued the server certificate Select the CA certificate that issued the server certificate from the dropdown menu.
LDAP User Auto Provisioning Enable this feature to specify how users can be automatically provisioned into LDAP.

Select OK to apply any changes that you have made.

Directory tree overview

The LDAP tree defines the hierarchical organization of user account entries in the LDAP database. The FortiGate unit requesting authentication must be configured to address its request to the right part of the hierarchy.

An LDAP server’s hierarchy often reflects the hierarchy of the organization it serves. The root represents the organization itself, usually defined as Domain Component (DC), a DNS domain, such as example.com (as the name contains a dot, it is written as two parts separated by a comma: dc=example,dc=com). Additional levels of hierarchy can be added as needed; these include:

  • Country (c)
  • User Group (cn)
  • Local User (uid)
  • Organization (o)
  • Organizational Unit (ou)

The user account entries relevant to user authentication will have element names such as UID or CN; the user's name. They can each be placed at their appropriate place in the hierarchy.

Complex LDAP hierarchies are more common in large organizations where users in different locations and departments have different access rights. For basic authenticated access to your office network or the Internet, a much simpler LDAP hierarchy is adequate.

The following is a simple example of an LDAP hierarchy in which the all user account entries reside at the OU level, just below DC.

When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part of the hierarchy where the user account record can be found. This is called the distinguished name (DN). In the above example, DN is ou=People,dc=example,dc=com.

The authentication request must also specify the particular user account entry. Although this is often called the common name (CN), the identifier you use is not necessarily CN. On a computer network, it is appropriate to use UID, the person’s user ID, as that is the information that they will provide at logon.

Creating the directory tree

The following sections provide a brief explanation of each part of the LDAP attribute directory, what is commonly used for representation, and how to configure it on FortiAuthenticator.

When an object name includes a space, as in Test Users, you have to enclose the text with double-quotes. For example:

cn="TesTUsers",cn=Builtin,dc=get,dc=local

x

Editing the root node

The root node is the top level of the LDAP directory. There can be only one. All groups, OUs, and users branch off from the root node. Choose a DN that makes sense for your organization’s root node.

There are three common forms of DN entries:

The most common consists of one or more DC elements making up the DN. Each part of the domain has its own DC entry. This comes directly from the DNS entry for the organization. For example, for example.com, the DN entry is "dc=example,dc=com".

Another popular method is to use the company’s Internet presence as the DN. This method uses the domain name as the DN. For example, for example.com, the DN entry would be "o=example.com".

An older method is to use the company name with a country entry. For example, for Example Inc. operating in the United States, the DN would be o="Example, Inc.",c=US. This makes less sense for international companies.

When you configure FortiGate units to use FortiAuthenticator as an LDAP server, you will specify the distinguished name that you created here. This identifies the correct LDAP structure to reference.
To rename the root node:
  1. Go to Authentication > LDAP Service > Directory Tree.
  2. Select dc=example,dc=com to edit the entry.
  3. In the Distinguished Name (DN) field, enter a new name (e.g. "dc=fortinet,dc=com").
  4. Select OK to apply your changes.

If your domain name has multiple parts to it, such as shiny.widgets.example.com, each part of the domain should be entered as part of the DN, for example:

dc=shiny,dc=widgets,dc=example,dc=com

Adding nodes to the LDAP directory tree

You can add a subordinate node at any level in the hierarchy as required.

To add a node to the tree:
  1. From the LDAP directory tree, select the green plus symbol next to the DN entry where you want to add the node.
    The Create New LDAP Entry window opens.
  2. In the Class field, select the identifier to use.
  3. For example, to add the ou=People node from the earlier example, select Organizational Unit (ou).

  4. Select the required value from the dropdown menu, or select Create New to create a new entry of the selected class.
  5. Select OK to add the node.

Nodes can be edited after creation by selecting the edit, or pencil, icon next to the node name.

Adding user accounts to the LDAP tree

You must add user account entries at the appropriate place in the LDAP tree. These users must already be defined in the FortiAuthenticator user database. See Adding a user.

To add a user account to the tree:
  1. From the LDAP directory tree, expand nodes as needed to find the required node, then select the node’s green plus symbol.
  2. In the earlier example, you would do this on the ou=People node.

  3. In the Class field, select User (uid).
  4. The list of available users is displayed. You can choose to display them alphabetically by either user group or user.

  5. Select the required users in the Available Users box and move them to the Chosen Users box. If you want to add all local users, select Choose all below the users box.
  6. Select OK to add the user account to the tree.

You can verify your users were added by expanding the node to see their UIDs listed below it.

Moving LDAP branches in the directory tree

At times you may want to rearrange the hierarchy of the LDAP structure. For example a department may be moved from one country to another.

While it is easy to move a branch in the LDAP tree, all systems that use this information will need to be updated to the new structure or they will not be able to authenticate users.
To move an LDAP branch:
  1. From the LDAP directory tree, select Expand All and find the branch that you want to move.
  2. Click and drag the branch from its current location to its new location
  3. When the branch is hovered above a valid location, an arrow appears to the left of the current branch to indicate where the new branch will be inserted. It will be inserted below the entry with the arrow.

Removing entries from the directory tree

Adding entries to the directory tree involves placing the attribute at the proper place. However, when removing entries it is possible to remove multiple branches at one time.

Take care not to remove more branches than you intend. Remember that all systems using this information will need to be updated to the new structure or they will not be able to authenticate users.
To remove an entry from the LDAP directory tree:
  1. From the LDAP directory tree, select Expand All and find the branch that you want to remove.
  2. Select the red X to the right of the entry name.
  3. You are prompted to confirm your deletion. Part of the prompt displays the message of all the entries that will be removed with this deletion. Ensure this is the level that you intend to delete.

  4. Select Yes, I’m sure to delete the entry.

If the deletion was successful there is a green check next to the successful message above the LDAP directory and the entry is removed from the tree.

Configuring a FortiGate unit for FortiAuthenticator LDAP

When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate units to access the FortiAuthenticator as an LDAP server and authenticate users.

To configure the FortiGate unit for LDAP authentication:
  1. On the FortiGate unit, go to User & Device > LDAP Servers and select Create New.
  2. Enter the following information:
  3. Name Enter a name to identify the FortiAuthenticator LDAP server on the FortiGate unit.
    Server IP/Name Enter the IP address FQDN of FortiAuthenticator.
    Server Port Leave at default (389).
    Common Name Identifier Enter uid, the user ID.
    Distinguished Name Enter the LDAP node where the user account entries can be found. For example, ou=People,dc=example,dc=com
    Bind Type

    The FortiGate unit can be configured to use one of three types of binding:

    • Simple: Bind using a simple password authentication without a search.
    • Anonymous: Bind using anonymous user search.
    • Regular: Bind using username/password and then search.

    You can use simple authentication if the user records all fall under one distinguished name (DN). If the users are under more than one DN, use the anonymous or regular type, which can search the entire LDAP database for the required username.

    If your LDAP server requires authentication to perform searches, use the regular type and provide the Username and Password.

    Secure Connection If you select Secure Connection, you must select LDAPS or STARTTLS protocol and the CA security certificate that verifies the FortiAuthenticator device's identity. If you select LDAPS protocol, the Server Port will change to 636.
  4. Optionally, use the Test Connectivity and Test User Credentials features. Select OK to apply your settings.
  5. Add the LDAP server to a user group. Specify that user group in identity-based security policies where you require authentication.

LDAP service

LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network.

In the LDAP protocol there are a number of operations a client can request such as search, compare, and add or delete an entry. Binding is the operation where the LDAP server authenticates the user. If the user is successfully authenticated, binding allows the user access to the LDAP server based on the user’s permissions.

General

To configure general LDAP service settings, go to Authentication > LDAP Service > General.

LDAP Server Settings
LDAP server certificate Select the certificate that the LDAP server will present from the dropdown menu.
Certificate authority type Select either Local CA or Trusted CA.
CA certificate that issued the server certificate Select the CA certificate that issued the server certificate from the dropdown menu.
LDAP User Auto Provisioning Enable this feature to specify how users can be automatically provisioned into LDAP.

Select OK to apply any changes that you have made.

Directory tree overview

The LDAP tree defines the hierarchical organization of user account entries in the LDAP database. The FortiGate unit requesting authentication must be configured to address its request to the right part of the hierarchy.

An LDAP server’s hierarchy often reflects the hierarchy of the organization it serves. The root represents the organization itself, usually defined as Domain Component (DC), a DNS domain, such as example.com (as the name contains a dot, it is written as two parts separated by a comma: dc=example,dc=com). Additional levels of hierarchy can be added as needed; these include:

  • Country (c)
  • User Group (cn)
  • Local User (uid)
  • Organization (o)
  • Organizational Unit (ou)

The user account entries relevant to user authentication will have element names such as UID or CN; the user's name. They can each be placed at their appropriate place in the hierarchy.

Complex LDAP hierarchies are more common in large organizations where users in different locations and departments have different access rights. For basic authenticated access to your office network or the Internet, a much simpler LDAP hierarchy is adequate.

The following is a simple example of an LDAP hierarchy in which the all user account entries reside at the OU level, just below DC.

When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part of the hierarchy where the user account record can be found. This is called the distinguished name (DN). In the above example, DN is ou=People,dc=example,dc=com.

The authentication request must also specify the particular user account entry. Although this is often called the common name (CN), the identifier you use is not necessarily CN. On a computer network, it is appropriate to use UID, the person’s user ID, as that is the information that they will provide at logon.

Creating the directory tree

The following sections provide a brief explanation of each part of the LDAP attribute directory, what is commonly used for representation, and how to configure it on FortiAuthenticator.

When an object name includes a space, as in Test Users, you have to enclose the text with double-quotes. For example:

cn="TesTUsers",cn=Builtin,dc=get,dc=local

x

Editing the root node

The root node is the top level of the LDAP directory. There can be only one. All groups, OUs, and users branch off from the root node. Choose a DN that makes sense for your organization’s root node.

There are three common forms of DN entries:

The most common consists of one or more DC elements making up the DN. Each part of the domain has its own DC entry. This comes directly from the DNS entry for the organization. For example, for example.com, the DN entry is "dc=example,dc=com".

Another popular method is to use the company’s Internet presence as the DN. This method uses the domain name as the DN. For example, for example.com, the DN entry would be "o=example.com".

An older method is to use the company name with a country entry. For example, for Example Inc. operating in the United States, the DN would be o="Example, Inc.",c=US. This makes less sense for international companies.

When you configure FortiGate units to use FortiAuthenticator as an LDAP server, you will specify the distinguished name that you created here. This identifies the correct LDAP structure to reference.
To rename the root node:
  1. Go to Authentication > LDAP Service > Directory Tree.
  2. Select dc=example,dc=com to edit the entry.
  3. In the Distinguished Name (DN) field, enter a new name (e.g. "dc=fortinet,dc=com").
  4. Select OK to apply your changes.

If your domain name has multiple parts to it, such as shiny.widgets.example.com, each part of the domain should be entered as part of the DN, for example:

dc=shiny,dc=widgets,dc=example,dc=com

Adding nodes to the LDAP directory tree

You can add a subordinate node at any level in the hierarchy as required.

To add a node to the tree:
  1. From the LDAP directory tree, select the green plus symbol next to the DN entry where you want to add the node.
    The Create New LDAP Entry window opens.
  2. In the Class field, select the identifier to use.
  3. For example, to add the ou=People node from the earlier example, select Organizational Unit (ou).

  4. Select the required value from the dropdown menu, or select Create New to create a new entry of the selected class.
  5. Select OK to add the node.

Nodes can be edited after creation by selecting the edit, or pencil, icon next to the node name.

Adding user accounts to the LDAP tree

You must add user account entries at the appropriate place in the LDAP tree. These users must already be defined in the FortiAuthenticator user database. See Adding a user.

To add a user account to the tree:
  1. From the LDAP directory tree, expand nodes as needed to find the required node, then select the node’s green plus symbol.
  2. In the earlier example, you would do this on the ou=People node.

  3. In the Class field, select User (uid).
  4. The list of available users is displayed. You can choose to display them alphabetically by either user group or user.

  5. Select the required users in the Available Users box and move them to the Chosen Users box. If you want to add all local users, select Choose all below the users box.
  6. Select OK to add the user account to the tree.

You can verify your users were added by expanding the node to see their UIDs listed below it.

Moving LDAP branches in the directory tree

At times you may want to rearrange the hierarchy of the LDAP structure. For example a department may be moved from one country to another.

While it is easy to move a branch in the LDAP tree, all systems that use this information will need to be updated to the new structure or they will not be able to authenticate users.
To move an LDAP branch:
  1. From the LDAP directory tree, select Expand All and find the branch that you want to move.
  2. Click and drag the branch from its current location to its new location
  3. When the branch is hovered above a valid location, an arrow appears to the left of the current branch to indicate where the new branch will be inserted. It will be inserted below the entry with the arrow.

Removing entries from the directory tree

Adding entries to the directory tree involves placing the attribute at the proper place. However, when removing entries it is possible to remove multiple branches at one time.

Take care not to remove more branches than you intend. Remember that all systems using this information will need to be updated to the new structure or they will not be able to authenticate users.
To remove an entry from the LDAP directory tree:
  1. From the LDAP directory tree, select Expand All and find the branch that you want to remove.
  2. Select the red X to the right of the entry name.
  3. You are prompted to confirm your deletion. Part of the prompt displays the message of all the entries that will be removed with this deletion. Ensure this is the level that you intend to delete.

  4. Select Yes, I’m sure to delete the entry.

If the deletion was successful there is a green check next to the successful message above the LDAP directory and the entry is removed from the tree.

Configuring a FortiGate unit for FortiAuthenticator LDAP

When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate units to access the FortiAuthenticator as an LDAP server and authenticate users.

To configure the FortiGate unit for LDAP authentication:
  1. On the FortiGate unit, go to User & Device > LDAP Servers and select Create New.
  2. Enter the following information:
  3. Name Enter a name to identify the FortiAuthenticator LDAP server on the FortiGate unit.
    Server IP/Name Enter the IP address FQDN of FortiAuthenticator.
    Server Port Leave at default (389).
    Common Name Identifier Enter uid, the user ID.
    Distinguished Name Enter the LDAP node where the user account entries can be found. For example, ou=People,dc=example,dc=com
    Bind Type

    The FortiGate unit can be configured to use one of three types of binding:

    • Simple: Bind using a simple password authentication without a search.
    • Anonymous: Bind using anonymous user search.
    • Regular: Bind using username/password and then search.

    You can use simple authentication if the user records all fall under one distinguished name (DN). If the users are under more than one DN, use the anonymous or regular type, which can search the entire LDAP database for the required username.

    If your LDAP server requires authentication to perform searches, use the regular type and provide the Username and Password.

    Secure Connection If you select Secure Connection, you must select LDAPS or STARTTLS protocol and the CA security certificate that verifies the FortiAuthenticator device's identity. If you select LDAPS protocol, the Server Port will change to 636.
  4. Optionally, use the Test Connectivity and Test User Credentials features. Select OK to apply your settings.
  5. Add the LDAP server to a user group. Specify that user group in identity-based security policies where you require authentication.