Fortinet black logo

Administration Guide

Configuring a FortiGate unit for FortiAuthenticator LDAP

Configuring a FortiGate unit for FortiAuthenticator LDAP

When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate units to access the FortiAuthenticator as an LDAP server and authenticate users.

To configure the FortiGate unit for LDAP authentication:
  1. On the FortiGate unit, go to User & Device > LDAP Servers and select Create New.
  2. Enter the following information:
    NameEnter a name to identify the FortiAuthenticator LDAP server on the FortiGate unit.
    Server IP/NameEnter the IP address FQDN of FortiAuthenticator.
    Server PortLeave at default (389).
    Common Name IdentifierEnter uid, the user ID.
    Distinguished NameEnter the LDAP node where the user account entries can be found. For example, ou=People,dc=example,dc=com
    Bind Type

    The FortiGate unit can be configured to use one of three types of binding:

    • Simple: Bind using a simple password authentication without a search.
    • Anonymous: Bind using anonymous user search.
    • Regular: Bind using username/password and then search.

    You can use simple authentication if the user records all fall under one distinguished name (DN). If the users are under more than one DN, use the anonymous or regular type, which can search the entire LDAP database for the required username.

    If your LDAP server requires authentication to perform searches, use the regular type and provide the Username and Password.

    Secure ConnectionIf you select Secure Connection, you must select LDAPS or STARTTLS protocol and the CA security certificate that verifies the FortiAuthenticator device's identity. If you select LDAPS protocol, the Server Port will change to 636.
  3. Optionally, use the Test Connectivity and Test User Credentials features. Select OK to apply your settings.
  4. Add the LDAP server to a user group. Specify that user group in identity-based security policies where you require authentication.

Configuring a FortiGate unit for FortiAuthenticator LDAP

When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate units to access the FortiAuthenticator as an LDAP server and authenticate users.

To configure the FortiGate unit for LDAP authentication:
  1. On the FortiGate unit, go to User & Device > LDAP Servers and select Create New.
  2. Enter the following information:
    NameEnter a name to identify the FortiAuthenticator LDAP server on the FortiGate unit.
    Server IP/NameEnter the IP address FQDN of FortiAuthenticator.
    Server PortLeave at default (389).
    Common Name IdentifierEnter uid, the user ID.
    Distinguished NameEnter the LDAP node where the user account entries can be found. For example, ou=People,dc=example,dc=com
    Bind Type

    The FortiGate unit can be configured to use one of three types of binding:

    • Simple: Bind using a simple password authentication without a search.
    • Anonymous: Bind using anonymous user search.
    • Regular: Bind using username/password and then search.

    You can use simple authentication if the user records all fall under one distinguished name (DN). If the users are under more than one DN, use the anonymous or regular type, which can search the entire LDAP database for the required username.

    If your LDAP server requires authentication to perform searches, use the regular type and provide the Username and Password.

    Secure ConnectionIf you select Secure Connection, you must select LDAPS or STARTTLS protocol and the CA security certificate that verifies the FortiAuthenticator device's identity. If you select LDAPS protocol, the Server Port will change to 636.
  3. Optionally, use the Test Connectivity and Test User Credentials features. Select OK to apply your settings.
  4. Add the LDAP server to a user group. Specify that user group in identity-based security policies where you require authentication.