Fortinet white logo
Fortinet white logo

Administration Guide

Configuring an LDAP server

Configuring an LDAP server

FortiOS can be configured to use an LDAP server for authentication.

Caution

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.

To configure an LDAP server on the FortiGate:
  1. Go to User & Authentication > LDAP Servers.

  2. Click Create New.

  3. Configure the following:

    Name

    This connection name is for reference within the FortiGate only.

    Server IP/Name

    LDAP server IP address or FQDN resolvable by the FortiGate.

    Server Port

    By default, LDAP uses port 389 and LDAPS uses 636. Use this field to specify a custom port if necessary.

    Common Name Identifier

    Attribute field of the object in LDAP that the FortiGate uses to identify the connecting user. The identifier is case sensitive. Common attributes are:

    • cn (Common Name)
    • sAMAccountName (SAMAccountName)
    • uid (User ID)

    Distinguished Name

    Used to look up user account entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the CN identifier in which you are doing the lookup.

    Enter dc=COMPANY,dc=com to specify the root of the domain to include all objects.

    Enter ou=VPN-Users,dc=COMPANY,dc=com to look up users under a specific organization unit.

    Exchange server

    Enable to specify the exchange server connector to collect information about authenticated users from a corporate exchange server. See Exchange Server connector for more details.

    Bind Type

    Select one of the following options:

    • Simple: bind using simple password authentication using the client name. The LDAP server only looks up against the distinguished name (DN), but does not search on the subtree.
    • Anonymous: bind using an anonymous user, and search starting from the DN and recurse over the subtrees. Many LDAP servers do not allow this.
    • Regular: bind using the username and password provided, and search starting from the DN and recurse over the subtrees.

    Username

    If using regular bind, enter a username with sufficient privileges to access the LDAP server. The following formats are supported:

    • username\administrator
    • administrator@domain
    • cn=administrator,cn=users,dc=domain,dc=com

    Password

    If using regular bind, enter the password associated with the username.

    Secure Connection

    Enable to apply security to the LDAP connection through STARTTLS or LDAPS.

    Protocol

    If Secure Connection is enabled, select STARTTLS or LDAPS. Selecting STARTTLS changes the port to 389 and selecting LDAPS changes the port to 636.

    Certificate

    Enable and select the root CA certificate so that the FortiGate will only accept a certificate from the LDAP server that is signed by this CA. The root CA certificate should be in the Remote CA Certificate store on the FortiGate.

    If this setting is not enabled (meaning that no certificate is chosen), the server certificate validation will not be performed even if Secure Connection is enabled.

    If the wrong certificate is chosen, which is not the issuing CA for the server certificate, then the LDAP connection will fail.

    Server identity check

    This check verifies the server domain or IP address against the server certificate. This option is enabled by default when Certificate is chosen and it is recommended to leave it enabled for a secure configuration.

    Note

    When specifying a secure connection, there are some considerations for the certificate used by LDAP to secure the connection. The FortiGate checks the certificate presented by the LDAP server for the IP address or FQDN as specified in the Server IP/Name field with the following logic:

    • If there is a Subject Alternative Name (SAN), it will ignore any Common Name (CN) value and look for a match in any of the SAN fields.

    • If there is no SAN, it will check the CN for a match.

  4. Optionally, click Test User Credentials to ensure that the account has sufficient access rights.

  5. Click OK.

    The FortiGate checks the connection and updates the Connection Status.

To configure a secure connection to the LDAP server in the GUI:
  1. Go to User & Authentication > LDAP Servers.

  2. Click Create New.

  3. Configure the following:

    Name

    LDAP-fortiad

    Server IP/Name

    10.88.0.1

    Server Port

    636

    Common Name Identifier

    sAMAccountName

    Distinguished Name

    dc=fortiad,dc=info

    Exchange server

    Disabled

    Bind Type

    Regular

    Enter the Username and Password for LDAP binding and lookup.

    Secure Connection

    Enabled

    • Set Protocol to LDAPS.

    • Enable Certificate and select the CA certificate to validate the server certificate.

    Server identity check

    Enable to verify the domain name or IP address against the server certificate.

  4. Click Test Connectivity to verify the connection to the server.

  5. Click OK.

To configure a secure connection to the LDAP server in the CLI:
config user ldap
    edit "LDAP-fortiad"
        set server "10.88.0.1"
        set cnid "sAMAccountName"
        set dn "dc=fortiad,dc=info"
        set type regular
        set username "fortiad\\Administrator"
        set password <password>
        set secure ldaps
        set ca-cert "CA_Cert_1"
        set port 636
    next
end 
Note

To account for dynamic IP address changes, such as those governed by SD-WAN rules, interface names can be used to define the source IP addresses in RADIUS, LDAP, and DNS configurations using the source-ip-interface command. See Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations.

Configuring an LDAP server

Configuring an LDAP server

FortiOS can be configured to use an LDAP server for authentication.

Caution

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.

To configure an LDAP server on the FortiGate:
  1. Go to User & Authentication > LDAP Servers.

  2. Click Create New.

  3. Configure the following:

    Name

    This connection name is for reference within the FortiGate only.

    Server IP/Name

    LDAP server IP address or FQDN resolvable by the FortiGate.

    Server Port

    By default, LDAP uses port 389 and LDAPS uses 636. Use this field to specify a custom port if necessary.

    Common Name Identifier

    Attribute field of the object in LDAP that the FortiGate uses to identify the connecting user. The identifier is case sensitive. Common attributes are:

    • cn (Common Name)
    • sAMAccountName (SAMAccountName)
    • uid (User ID)

    Distinguished Name

    Used to look up user account entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the CN identifier in which you are doing the lookup.

    Enter dc=COMPANY,dc=com to specify the root of the domain to include all objects.

    Enter ou=VPN-Users,dc=COMPANY,dc=com to look up users under a specific organization unit.

    Exchange server

    Enable to specify the exchange server connector to collect information about authenticated users from a corporate exchange server. See Exchange Server connector for more details.

    Bind Type

    Select one of the following options:

    • Simple: bind using simple password authentication using the client name. The LDAP server only looks up against the distinguished name (DN), but does not search on the subtree.
    • Anonymous: bind using an anonymous user, and search starting from the DN and recurse over the subtrees. Many LDAP servers do not allow this.
    • Regular: bind using the username and password provided, and search starting from the DN and recurse over the subtrees.

    Username

    If using regular bind, enter a username with sufficient privileges to access the LDAP server. The following formats are supported:

    • username\administrator
    • administrator@domain
    • cn=administrator,cn=users,dc=domain,dc=com

    Password

    If using regular bind, enter the password associated with the username.

    Secure Connection

    Enable to apply security to the LDAP connection through STARTTLS or LDAPS.

    Protocol

    If Secure Connection is enabled, select STARTTLS or LDAPS. Selecting STARTTLS changes the port to 389 and selecting LDAPS changes the port to 636.

    Certificate

    Enable and select the root CA certificate so that the FortiGate will only accept a certificate from the LDAP server that is signed by this CA. The root CA certificate should be in the Remote CA Certificate store on the FortiGate.

    If this setting is not enabled (meaning that no certificate is chosen), the server certificate validation will not be performed even if Secure Connection is enabled.

    If the wrong certificate is chosen, which is not the issuing CA for the server certificate, then the LDAP connection will fail.

    Server identity check

    This check verifies the server domain or IP address against the server certificate. This option is enabled by default when Certificate is chosen and it is recommended to leave it enabled for a secure configuration.

    Note

    When specifying a secure connection, there are some considerations for the certificate used by LDAP to secure the connection. The FortiGate checks the certificate presented by the LDAP server for the IP address or FQDN as specified in the Server IP/Name field with the following logic:

    • If there is a Subject Alternative Name (SAN), it will ignore any Common Name (CN) value and look for a match in any of the SAN fields.

    • If there is no SAN, it will check the CN for a match.

  4. Optionally, click Test User Credentials to ensure that the account has sufficient access rights.

  5. Click OK.

    The FortiGate checks the connection and updates the Connection Status.

To configure a secure connection to the LDAP server in the GUI:
  1. Go to User & Authentication > LDAP Servers.

  2. Click Create New.

  3. Configure the following:

    Name

    LDAP-fortiad

    Server IP/Name

    10.88.0.1

    Server Port

    636

    Common Name Identifier

    sAMAccountName

    Distinguished Name

    dc=fortiad,dc=info

    Exchange server

    Disabled

    Bind Type

    Regular

    Enter the Username and Password for LDAP binding and lookup.

    Secure Connection

    Enabled

    • Set Protocol to LDAPS.

    • Enable Certificate and select the CA certificate to validate the server certificate.

    Server identity check

    Enable to verify the domain name or IP address against the server certificate.

  4. Click Test Connectivity to verify the connection to the server.

  5. Click OK.

To configure a secure connection to the LDAP server in the CLI:
config user ldap
    edit "LDAP-fortiad"
        set server "10.88.0.1"
        set cnid "sAMAccountName"
        set dn "dc=fortiad,dc=info"
        set type regular
        set username "fortiad\\Administrator"
        set password <password>
        set secure ldaps
        set ca-cert "CA_Cert_1"
        set port 636
    next
end 
Note

To account for dynamic IP address changes, such as those governed by SD-WAN rules, interface names can be used to define the source IP addresses in RADIUS, LDAP, and DNS configurations using the source-ip-interface command. See Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations.