Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 5.4.0 Handbook
    5.4.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Using an LDAP authentication server

    Using an LDAP authentication server

    Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over a network. When using LDAP, authentication clients may send “Bind” messages to servers for authentication. Depending on the circumstances, clients may send different kinds of “Bind” messages.

    LDAP bind messages

    In a server load-balancing client authentication or admin authentication scenario, FortiADC sends binding request to the LDAP server for client authentication. Once a client is successfully authenticated, he or she can then access the LDAP server based on his or her privileges. There are three bind types: simple, anonymous, and regular.

    Simple bind

    Simple bind means binding with a client's full name. All clients must be located in the same branch specified with the DN.

    Anonymous bind

    Anonymous bind should be used only if the LDAP server allows it. The LDAP server searches for the client in the entire sub-branches, starting from the specified DN. This bind has two steps: First, FortiADC sends the binding request to specify the search entry point. Then, it sends a search request with the specified scope and filter to the LDAP server to find the given client.

    Regular bind

    Regular bind can be used when anonymous binding is not allowed on the LDAP server. Regular bind is similar to anonymous bind. The difference is in the initial step. Unlike anonymous bind, regular bind requires that FortiADC get the access privileges on the LDAP server with the specified User DN in the first step. After it has obtained the authorization, FortiADC can then move on to the second step as it does in anonymous bind.

    LDAP over SSL (LDAPS) and StartTLS

    LDAP over SSL (LDAPS) and startTLS are used to encrypt LDAP messages in the authentication process.

    LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. StartTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection.

    Configuring LDAP binding

    You can use an LDAP authentication server to authenticate administrator or destination server user log-ins.

    Basic steps:
    1. Configure a connection to an LDAP server that can authenticate administrator or user logins.
    2. Select the LDAP server configuration when you add administrator users or create user groups.

    Before you begin:

    • You must know the IP address and port used to access the LDAP server. You must know the CN and DN where user credentials are stored on the LDAP server.
    • You must have Read-Write permission for System settings.
    To select an LDAP server:
    1. Go to User Authentication > Remote Server.
    2. Select the LDAP Server tab.
    3. Click Create New to display the configuration editor.
    4. Complete the configuration as described in LDAP server configuration.
    5. Save the configuration.

    LDAP server configuration
    Settings Guidelines

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    Server

    IP address for the server.

    Port

    Port number for the server. The commonly used port for LDAP is 389.

    Common Name Identifier

    Common name (cn) attribute for the LDAP record. For example: cn

    Distinguished Name

    Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example: cn=John%20Doe,dc=example,dc=com

    Bind Type
    • Simple—bind without user search. It can be used only if all the users belong to the same “branch”.
    • Anonymous—bind with user search. It can be used when users are in different “branches” and only if the server allows “anonymous search”.
    • Regular—bind with user search. It can be used when users are in different “branches” and the server does not allow “anonymous search”.

    User DN

    Available only when Bind Type is "Regular". In that case, enter the user DN.

    Password

    Available only when Bind Type is "Regular". In that case, enter the user password.

    Secure Connection
    • Disable
    • LDAPS
    • STARTTLS

    CA Profile

    This field becomes available only when Secure Connection is set to LDAPS or STARTTLS, regardless of the Bind type being selected. In that case, you can either select a CA that has already been provisioned to secure the connection. You may also leave the field blank if you do not want to secure the connection.

    Test Connectivity

    Tests the connection of the LDAP server.
    Previous
    Next

    Using an LDAP authentication server

    Using an LDAP authentication server

    Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over a network. When using LDAP, authentication clients may send “Bind” messages to servers for authentication. Depending on the circumstances, clients may send different kinds of “Bind” messages.

    LDAP bind messages

    In a server load-balancing client authentication or admin authentication scenario, FortiADC sends binding request to the LDAP server for client authentication. Once a client is successfully authenticated, he or she can then access the LDAP server based on his or her privileges. There are three bind types: simple, anonymous, and regular.

    Simple bind

    Simple bind means binding with a client's full name. All clients must be located in the same branch specified with the DN.

    Anonymous bind

    Anonymous bind should be used only if the LDAP server allows it. The LDAP server searches for the client in the entire sub-branches, starting from the specified DN. This bind has two steps: First, FortiADC sends the binding request to specify the search entry point. Then, it sends a search request with the specified scope and filter to the LDAP server to find the given client.

    Regular bind

    Regular bind can be used when anonymous binding is not allowed on the LDAP server. Regular bind is similar to anonymous bind. The difference is in the initial step. Unlike anonymous bind, regular bind requires that FortiADC get the access privileges on the LDAP server with the specified User DN in the first step. After it has obtained the authorization, FortiADC can then move on to the second step as it does in anonymous bind.

    LDAP over SSL (LDAPS) and StartTLS

    LDAP over SSL (LDAPS) and startTLS are used to encrypt LDAP messages in the authentication process.

    LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. StartTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection.

    Configuring LDAP binding

    You can use an LDAP authentication server to authenticate administrator or destination server user log-ins.

    Basic steps:
    1. Configure a connection to an LDAP server that can authenticate administrator or user logins.
    2. Select the LDAP server configuration when you add administrator users or create user groups.

    Before you begin:

    • You must know the IP address and port used to access the LDAP server. You must know the CN and DN where user credentials are stored on the LDAP server.
    • You must have Read-Write permission for System settings.
    To select an LDAP server:
    1. Go to User Authentication > Remote Server.
    2. Select the LDAP Server tab.
    3. Click Create New to display the configuration editor.
    4. Complete the configuration as described in LDAP server configuration.
    5. Save the configuration.

    LDAP server configuration
    Settings Guidelines

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    Server

    IP address for the server.

    Port

    Port number for the server. The commonly used port for LDAP is 389.

    Common Name Identifier

    Common name (cn) attribute for the LDAP record. For example: cn

    Distinguished Name

    Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example: cn=John%20Doe,dc=example,dc=com

    Bind Type
    • Simple—bind without user search. It can be used only if all the users belong to the same “branch”.
    • Anonymous—bind with user search. It can be used when users are in different “branches” and only if the server allows “anonymous search”.
    • Regular—bind with user search. It can be used when users are in different “branches” and the server does not allow “anonymous search”.

    User DN

    Available only when Bind Type is "Regular". In that case, enter the user DN.

    Password

    Available only when Bind Type is "Regular". In that case, enter the user password.

    Secure Connection
    • Disable
    • LDAPS
    • STARTTLS

    CA Profile

    This field becomes available only when Secure Connection is set to LDAPS or STARTTLS, regardless of the Bind type being selected. In that case, you can either select a CA that has already been provisioned to secure the connection. You may also leave the field blank if you do not want to secure the connection.

    Test Connectivity

    Tests the connection of the LDAP server.
    Previous
    Next