Synchronizing LDAP Active Directory users to FortiToken Cloud using the two-factor filter
To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled in the user ldap
object definition in FortiOS. By default, FortiOS retrieves all Active Directory users in the LDAP server with a valid email or mobile number (mail
and mobile
attributes), and synchronizes the users to FortiToken Cloud. Users are then created on FortiToken Cloud and activation is sent out using email or SMS.
Two-factor filters can be used to reduce the number of the Active Directory users returned, and only synchronize the users who meet the filter criteria.
config user ldap edit <name> set dn <string> set two-factor {disable | fortitoken-cloud} set two-factor-filter <string> next end
dn <string> |
Set the distinguished name used to look up entries on the LDAP server. The search for users and groups starts here based on what is defined. |
two-factor {disable | fortitoken-cloud} |
Enable/disable two-factor authentication:
|
two-factor-filter <string> |
Set the filter used to synchronize users to FortiToken Cloud. |
When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.
|
Two-factor filter examples
In the following examples, a user ldap
object is defined to connect to an Active Directory on a Windows server. The search will begin in the root of the fortinet-fsso.com directory.
To configure a default LDAP server configuration without a two-factor filter:
config user ldap edit "ad-ldap-auth" set server <ip_address> set cnid "cn" set dn "dc=fortinet-fsso,dc=com" set type regular set two-factor fortitoken-cloud set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com" set password ********** next end
When a two-factor filter is not used, all users in the Active Directory with a valid email or mobile number will be retrieved.
Example 1: specific users and email address with wildcard
With this two-factor-filter
, users under fortinet-fsso.com that have oliver* in their username and *fortinet* in their email will be matched.
config user ldap edit "ad-ldap-auth" set two-factor-filter "(&(SAMAccountName=oliver*)(mail=*fortinet*))" next end
Example 2: all users with matching email
With this two-factor-filter
, all users under fortinet-fsso.com with *fortinet* in their email will be matched.
config user ldap edit "ad-ldap-auth" set two-factor-filter "(&(SAMAccountName=*)(mail=*fortinet*))" next end
Example 3: all users in a group
With this two-factor-filter
, all users within the group fortinet-fsso.com > Testing > ftc-users will be matched.
config user ldap edit "ad-ldap-auth" set two-factor-filter "(&(objectCategory=Person)(sAMAccountName=*)( memberOf=cn=ftc-users,ou=Testing,dc=fortinet-fsso,DC=com))" next end
Example configuration
In this example, Active Directory users are configured to be synchronized to FortiToken Cloud. The same two-factor filter is used from example 1 and searches the Active Directory for users named oliver* with email *fortinet*.
Before configuring the FortiGate:
-
Gather the information to connect to the Active Directory server through LDAP. Include all necessary fields, such as the server IP, port, CN name identifier, DN for the start of the search, bind type, and username associated with a regular bind.
-
Consider the users or groups that require two-factor authentication and should be synchronized. If necessary, group the users under the same group in the Active Directory.
-
If using a two-factor filter, formulate the
two-factor-filter
string to limit the match. For this example,(&(SAMAccountName=oliver*)(mail=*fortinet*))
. -
Test the filter by using the FortiOS CLI to perform a quick LDAP search:
# diagnose test authserver ldap-search <server_ip> 389 "ou=Testing,dc=fortinet-fsso,DC=com" cn Administrator@fortinet-fsso.com PASSWORD 0 '(&(SAMAccountName=oliver*)(mail=*fortinet*))' 2 searching 'ou=Testing,dc=fortinet-fsso,DC=com, cn=cn' on 10.1.100.131:389 for (Administrator@fortinet-fsso.com, PASSWORD), secure(0), filter((&(SAMAccountName=oliver*)(mail=*fortinet*))), flag(0x2), page_no(0)... CN=oliver2022,OU=Testing,DC=Fortinet-FSSO,DC=COM (oliver2022, 0 entries)
The user,
oliver2022
, was found. -
Estimate how many users will be retrieved, and ensure that the FortiToken Cloud account has enough user licenses to support the number of users.
To configure Active Directory users to be synchronized to FortiToken Cloud:
-
Configure the user LDAP settings:
config user ldap edit "ad-ldap-auth" set server "10.1.100.131" set cnid "cn" set dn "dc=fortinet-fsso,dc=com" set type regular set two-factor fortitoken-cloud set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com" set password ********** set two-factor-filter "(&(SAMAccountName=oliver*)(mail=*fortinet*))" next end
-
In the background, the FortiGate FAS daemon scans the LDAP server for users to be synchronized based on the two-factor filter pattern, but will not send them to the FortiToken Cloud server yet. Optionally, verify the users that are retrieved from the Active Directory based on the filter:
# diagnose fortitoken-cloud debug enable # diagnose debug enable # diagnose fortitoken-cloud sync ... fas_sync_ftc[2788]: Sending packet to FTC server: "IP-of-FTC-server" Port: 8686(length:444) fas_sync_ftc[2792]: FTC User Sync Packet(length:444): POST /api/v1/user_sync HTTP/1.1 Host: ftc.fortinet.com Connection: keep-alive User-Agent: FortiGate-401E v7.0.6,build**** Content-Type: application/json Content-Length: 246 {"users":[{"username":"oliver2022","vdom":"vdom1","email":"o****@fortinet.com","mobile_number":"XXXXXXXXXXX","user_data":1,"action":"create"}],"sn":"FG4H1E5819900000","cluster_members":[ "FG4H1E5819900000" ],"group_name":"FGT400D","group_id":"0"} Reminder: User sync packet not actually sent out because of diagnose purpose!
As expected, only the user that matches the current filter is returned.
-
Manually trigger the synchronization process with FortiToken Cloud:
# execute fortitoken-cloud sync
The user is added to FortiToken Cloud, and an activation email or SMS message is sent to the user.
-
In FortiToken Cloud, go to Users to verify that the user was added.
If the activation email was sent, but user has not downloaded and activated the mobile token yet, a pending symbol appears in the Status column (such as for the admin, test6, and test3 users).
-
In FortiOS, add the
ad-ldap-auth
object in a user group. The user group can be used for VPN, firewall authentication, and so on.The
ldap user
object should not be used in remote LDAP user groups that require group matching because it is not supported.