Fortinet black logo

Cookbook

Home FortiAuthenticator 6.2.0 Cookbook

Provision the remote LDAP server on FortiAuthenticator

6.2.0
6.5.0
6.4.0
6.3.0
6.2.0
6.1.0
6.0.0
5.5.0
Copy Link
Copy Doc ID 502fabff-dbf1-11ea-96b9-00505692583a:855114
Download PDF

Provision the remote LDAP server on FortiAuthenticator

To provision the remote LDAP server:
  1. In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
  2. In the Create New LDAP Server window, set the following:
    1. Name: Enter a name, for example azure.fortixpert.com.
    2. Primary server name/IP: Enter the Secure LDAP IP.
    3. Bind type: Regular.
    4. Username/Password: Enter a username and password that can access MS Azure DS to perform directory lookups.
    5. Base distinguished name: Leave blank.
  3. In the Query Elements section, set the following:
    1. Pre-defined templates: Select Microsoft Active Directory and click Apply.
    2. Force use of administrator account for group membership lookups: Enabled.
  4. In the Secure Connection section, set the following
    1. Secure Connection: Enabled.
    2. Protocol: LDAPS.
    3. CA Certificate: Select the Root CA certificate for the wildcard certificate that was uploaded to MS Azure to use with the Secure LDAP connector.
  5. Select the lookup icon next to Base distinguished name. Choose the base DN for your user accounts, for example DC=fortixpert,DC=com. Click OK.
  6. Click OK to save the remote LDAP server configuration.
To import remote user accounts:
  1. Go to Authentication > User Management > Remote Users. Confirm LDAP is selected at the top of the page, and click Import.
  2. Under Import Remote LDAP User, complete the following:
    1. Remote LDAP Server: Select the Azure remote LDAP server.
    2. Action: Select Import users, and click Go to view a list of users within your Azure directory.
    3. Select the users you wish to be able to connect to the wireless network using their Azure based account.
  3. Click OK.
To set up a remote user sync rule:
  1. Go to Authentication > User Management > Remote User Sync Rule, and click Create New.
  2. Under Create New Remote LDAP User Synchronization Rule, set the following:
    1. Name: Enter a name, for example Azure_Remote_Sync.
    2. Remote LDAP: Select your Azure remote LDAP server.
    3. Base distinguished name: This setting can be left as the default, for example DC=fortixpert,DC=com.
  3. Under Synchronization Attributes, set the following:
    1. Token-based authentication sync priorities: Enable None.
    2. Sync every: Select the sync frequency. In production environments, this should be set to 30 minutes or more depending on the number of users being synchronized.
    3. Sync as: Remote LDAP User.
    4. User role for new user imports: User.
  4. Leave all other settings in their default states, and click OK.
To create a new realm:
  1. Go to Authentication > User Management > Realms, and click Create New.
  2. Under Create New Realm, set the following:
    1. Name: Enter the realm name, for example fortixpert.com.
    2. User source: Select the remote LDAP service from the dropdown box.
  3. Click OK.
Previous
Next

Provision the remote LDAP server on FortiAuthenticator

To provision the remote LDAP server:
  1. In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
  2. In the Create New LDAP Server window, set the following:
    1. Name: Enter a name, for example azure.fortixpert.com.
    2. Primary server name/IP: Enter the Secure LDAP IP.
    3. Bind type: Regular.
    4. Username/Password: Enter a username and password that can access MS Azure DS to perform directory lookups.
    5. Base distinguished name: Leave blank.
  3. In the Query Elements section, set the following:
    1. Pre-defined templates: Select Microsoft Active Directory and click Apply.
    2. Force use of administrator account for group membership lookups: Enabled.
  4. In the Secure Connection section, set the following
    1. Secure Connection: Enabled.
    2. Protocol: LDAPS.
    3. CA Certificate: Select the Root CA certificate for the wildcard certificate that was uploaded to MS Azure to use with the Secure LDAP connector.
  5. Select the lookup icon next to Base distinguished name. Choose the base DN for your user accounts, for example DC=fortixpert,DC=com. Click OK.
  6. Click OK to save the remote LDAP server configuration.
To import remote user accounts:
  1. Go to Authentication > User Management > Remote Users. Confirm LDAP is selected at the top of the page, and click Import.
  2. Under Import Remote LDAP User, complete the following:
    1. Remote LDAP Server: Select the Azure remote LDAP server.
    2. Action: Select Import users, and click Go to view a list of users within your Azure directory.
    3. Select the users you wish to be able to connect to the wireless network using their Azure based account.
  3. Click OK.
To set up a remote user sync rule:
  1. Go to Authentication > User Management > Remote User Sync Rule, and click Create New.
  2. Under Create New Remote LDAP User Synchronization Rule, set the following:
    1. Name: Enter a name, for example Azure_Remote_Sync.
    2. Remote LDAP: Select your Azure remote LDAP server.
    3. Base distinguished name: This setting can be left as the default, for example DC=fortixpert,DC=com.
  3. Under Synchronization Attributes, set the following:
    1. Token-based authentication sync priorities: Enable None.
    2. Sync every: Select the sync frequency. In production environments, this should be set to 30 minutes or more depending on the number of users being synchronized.
    3. Sync as: Remote LDAP User.
    4. User role for new user imports: User.
  4. Leave all other settings in their default states, and click OK.
To create a new realm:
  1. Go to Authentication > User Management > Realms, and click Create New.
  2. Under Create New Realm, set the following:
    1. Name: Enter the realm name, for example fortixpert.com.
    2. User source: Select the remote LDAP service from the dropdown box.
  3. Click OK.
Previous
Next