Obtain full user information through the MS Exchange connector

FortiGate can collect additional information about authenticated users from corporate MS Exchange servers. After a user logs in, the additional information can be viewed in various parts of the GUI.

The Exchange connector must be mapped to the LDAP server that is used for authentication.

The following attributes are retrieved:

USER_INFO_FULL_NAME	USER_INFO_COMPANY	USER_INFO_CITY
USER_INFO_FIRST_NAME	USER_INFO_DEPARTMENT	USER_INFO_STATE
USER_INFO_LAST_NAME	USER_INFO_GROUP	USER_INFO_POSTAL_CODE
USER_INFO_LOGON_NAME	USER_INFO_TITLE	USER_INFO_COUNTRY
USER_INFO_TELEPHONE	USER_INFO_MANAGER	USER_INFO_ACCOUNT_EXPIRES
USER_INFO_EMAIL	USER_INFO_STREET
USER_INFO_USER_PHOTO	USER_INFO_POST_OFFICE_BOX

This example shows the configuration and verification in the CLI.

To configure and use an Exchange connector:

1. Configure the Exchange user:

   config user exchange
       edit "exchange140"
           set server-name "W2K8-SERV1"                 
           set domain-name "FORTINET-FSSO.COM"
           set username "Administrator"
           set password **********
           set ip 10.1.100.140
           set kdc-ip "10.1.100.131"
       next
   end

   Where:

   server-name	The hostname of the Exchange server.
   domain-name	The domain name of active directory.
   username	The username that FortiGate uses to connect to the Exchange server.
   password	The password that FortiGate uses to connect to the Exchange server.
   ip	The IP address of the Exchange server.
   kdc-ip	The IP address of the Global Catalog server.

   For details about other commands, so the FortiOS CLI Reference.

2. Set the exchange server in the LDAP user:

   config user ldap
       edit "AD-ldap"
           set server "10.1.100.131"
           set server-identity-check disable
           set cnid "cn"
           set dn "dc=fortinet-fsso,dc=com"
           set type regular
           set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
           set password **********
           set secure ldaps
           set port 636
           set password-renewal enable
           set user-info-exchange-server "exchange140"
       next
   end

To check the collected information after the user has been authenticated:

1. In the GUI, go to Monitor > Firewall User Monitor and hover over the user name.

   

2. In the CLI, run the following command:

   # diagnose wad user info 20 test1
   'username' = 'test1'
   'sourceip' = '10.1.100.185'
   'vdom' = 'root'
   'cn' = 'test1'
   'givenName' = 'test1'
   'sn' = 'test101'
   'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
   'telephoneNumber' = '604-123456'
   'mail' = 'test1@fortinet-fsso.com'
   'thumbnailPhoto' = '/tmp/wad/user_info/76665fff62ffffffffffffffffffff75ff68fffffffffa'
   'company' = 'Fortinet'
   'department' = 'Release QA'
   'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
   'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
   'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
   'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
   'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
   'streetAddress' = 'One Backend Street 1901'
   'l' = 'Burnaby'
   'st' = 'BC'
   'postalCode' = '4711'
   'co' = 'Canada'
   'accountExpires' = '9223372036854

   If the results are not as expected, use the following commands to verify what information FortiGate can collect from the Exchange server:

   diagnose test application wad 2500
   diagnose test application wad 162

   You can also enable debugging during user authentication:

   diagnose wad debug enable level verbose