Fortinet black logo

Administration Guide

Home FortiPAM 1.0.0 Administration Guide
1.0.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

LDAP servers

LDAP servers

Users can use remote authentication servers, such as an LDAP server, to connect to FortiPAM.

LDAP servers store users' information including credentials and group membership. This information can authenticate FortiPAM remote users and provide groups for authorization.

Go to LDAP servers in User Management to see a list of LDAP servers.

The LDAP server tab contains the following options:

Create

Select to create an LDAP server.

Edit

Select to edit the selected LDAP server.

Delete

Select to delete the selected LDAP roles.

Search

Enter a search term in the search field, then hit Enter to search the LDAP servers list. To narrow down your search, see Column filter.
To create an LDAP server:
  1. Go to User Management > LDAP servers, and select Create.

    The New LDAP Server wizard opens.

  2. Enter the following information, and click Next after each tab:

    Set up server

    Name

    Name of the server.

    Server IP/name

    The IP address or FQDN for this remote server.

    Server Port

    The port number for LDAP traffic (default = 636).

    Common Name Identifier

    The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as UID. (default = cn).

    Distinguished Name

    The distinguished name is used to look up entries on the LDAP server.

    The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier.

    Secure Connection

    Enable to use a secure LDAP server connection for authentication.

    Secure LDAP (LDAPS) allows for the encryption of LDAP data in transit when a directory bind is being established, thereby protecting against credential theft.

    Note: This option is enabled by default.

    Password Renewal

    Enable to allow LDAP users to renew passwords.

    Note: This option is only available when Secure Connection is enabled.

    Note: This option is enabled by default.

    Protocol

    When Secure Connection is enabled, select either LDAPS or STARTTLS (default).

    Certificate

    When Secure Connection is enabled, select the certificate from the dropdown.

    Use the search bar to look up a certificate.

    Server Identity Check

    Enable to verify server domain name/IP address against the server certificate.

    Note: This option is only available when Secure Connection is enabled.

    Note: This option is enabled by default.

    Advanced Group Matching

    Group member check determines whether user or group objects' attributes are used for matching. Group Filter is the filter used for group matching. Member attribute is the name of the attribute from which to get the group membership.

    Depending on the LDAP server, you may need to configure additional properties to ensure LDAP groups are correctly matched.

    Note: The option is disabled by default.

    Group Member Check

    From the dropdown, select a group member check option (default =
    Ldap::grp::member::check:user-attr).

    Group Filter

    Enter the group filter for group matching.

    Group Search Base

    Enter the search base used for searching a group.

    Member Attribute

    Specify the value for this attribute. This value must match the attribute of the group in LDAP server. All users part of the LDAP group with the attribute matching the attribute will inherit the administrative permissions specified for this group (default = memberof).

    Authenticate

    Username

    The username.

    Password

    The password.

  3. Click Test connection to test the connection to the LDAP server.

    Test connection is only available to users who have Write permission for Ldap Servers. See Role.

    If the credentials to the server are valid, it shows Successful.

  4. In the Review tab, verify the information you entered and click Submit to create the LDAP server.

    Use the pen icon to edit tabs.

Alternatively, use the CLI commands to create LDAP servers.
CLI configuration to set up an LDAP server example:

config user ldap

edit <name>

set server <server_ip>

set cnid "cn"

set dn "dc=XYZ,dc=fortinet,dc=COM"

set type regular

set username <ldap_username>

set password <password>

next

end

config authentication scheme

edit "fortipam_auth_scheme"

set method form

set user-database "local-admin-db" <ldap_server_name>

next

end

Setting up remote LDAP authentication includes the following steps:
  1. Configuring the LDAP server. See Configuring an LDAP server.
  2. Adding the LDAP server to a user group. See User groups.
  3. Configuring the administrator account. See Creating a user.
Previous
Next

LDAP servers

Users can use remote authentication servers, such as an LDAP server, to connect to FortiPAM.

LDAP servers store users' information including credentials and group membership. This information can authenticate FortiPAM remote users and provide groups for authorization.

Go to LDAP servers in User Management to see a list of LDAP servers.

The LDAP server tab contains the following options:

Create

Select to create an LDAP server.

Edit

Select to edit the selected LDAP server.

Delete

Select to delete the selected LDAP roles.

Search

Enter a search term in the search field, then hit Enter to search the LDAP servers list. To narrow down your search, see Column filter.
To create an LDAP server:
  1. Go to User Management > LDAP servers, and select Create.

    The New LDAP Server wizard opens.

  2. Enter the following information, and click Next after each tab:

    Set up server

    Name

    Name of the server.

    Server IP/name

    The IP address or FQDN for this remote server.

    Server Port

    The port number for LDAP traffic (default = 636).

    Common Name Identifier

    The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as UID. (default = cn).

    Distinguished Name

    The distinguished name is used to look up entries on the LDAP server.

    The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier.

    Secure Connection

    Enable to use a secure LDAP server connection for authentication.

    Secure LDAP (LDAPS) allows for the encryption of LDAP data in transit when a directory bind is being established, thereby protecting against credential theft.

    Note: This option is enabled by default.

    Password Renewal

    Enable to allow LDAP users to renew passwords.

    Note: This option is only available when Secure Connection is enabled.

    Note: This option is enabled by default.

    Protocol

    When Secure Connection is enabled, select either LDAPS or STARTTLS (default).

    Certificate

    When Secure Connection is enabled, select the certificate from the dropdown.

    Use the search bar to look up a certificate.

    Server Identity Check

    Enable to verify server domain name/IP address against the server certificate.

    Note: This option is only available when Secure Connection is enabled.

    Note: This option is enabled by default.

    Advanced Group Matching

    Group member check determines whether user or group objects' attributes are used for matching. Group Filter is the filter used for group matching. Member attribute is the name of the attribute from which to get the group membership.

    Depending on the LDAP server, you may need to configure additional properties to ensure LDAP groups are correctly matched.

    Note: The option is disabled by default.

    Group Member Check

    From the dropdown, select a group member check option (default =
    Ldap::grp::member::check:user-attr).

    Group Filter

    Enter the group filter for group matching.

    Group Search Base

    Enter the search base used for searching a group.

    Member Attribute

    Specify the value for this attribute. This value must match the attribute of the group in LDAP server. All users part of the LDAP group with the attribute matching the attribute will inherit the administrative permissions specified for this group (default = memberof).

    Authenticate

    Username

    The username.

    Password

    The password.

  3. Click Test connection to test the connection to the LDAP server.

    Test connection is only available to users who have Write permission for Ldap Servers. See Role.

    If the credentials to the server are valid, it shows Successful.

  4. In the Review tab, verify the information you entered and click Submit to create the LDAP server.

    Use the pen icon to edit tabs.

Alternatively, use the CLI commands to create LDAP servers.
CLI configuration to set up an LDAP server example:

config user ldap

edit <name>

set server <server_ip>

set cnid "cn"

set dn "dc=XYZ,dc=fortinet,dc=COM"

set type regular

set username <ldap_username>

set password <password>

next

end

config authentication scheme

edit "fortipam_auth_scheme"

set method form

set user-database "local-admin-db" <ldap_server_name>

next

end

Setting up remote LDAP authentication includes the following steps:
  1. Configuring the LDAP server. See Configuring an LDAP server.
  2. Adding the LDAP server to a user group. See User groups.
  3. Configuring the administrator account. See Creating a user.
Previous
Next