Using an LDAP authentication server
Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over a network. When using LDAP, authentication clients may send “Bind” messages to servers for authentication. Depending on the circumstances, clients may send different kinds of “Bind” messages.
LDAP bind messages
In a server load-balancing client authentication or admin authentication scenario, FortiADC sends binding request to the LDAP server for client authentication. Once a client is successfully authenticated, he or she can then access the LDAP server based on his or her privileges. There are three bind types: simple, anonymous, and regular.
Simple bind
Simple bind means binding with a client's full name.
Anonymous bind
Anonymous bind should be used only if the LDAP server allows it. The LDAP server searches for the client in the entire sub-branches, starting from the specified DN. This bind has two steps: First, FortiADC sends the binding request to specify the search entry point. Then, it sends a search request with the specified scope and filter to the LDAP server to find the given client.
Regular bind
Regular bind can be used when anonymous binding is not allowed on the LDAP server. Regular bind is similar to anonymous bind. The difference is in the initial step. Unlike anonymous bind, regular bind requires that FortiADC get the access privileges on the LDAP server with the specified User DN in the first step. After it has obtained the authorization, FortiADC can then move on to the second step as it does in anonymous bind.
LDAP over SSL (LDAPS) and StartTLS
LDAP over SSL (LDAPS) and StartTLS are used to encrypt LDAP messages in the authentication process.
LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. StartTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection.
Configuring LDAP binding
You can use an LDAP authentication server to authenticate administrator or destination server user log-ins.
Basic steps:
- Configure a connection to an LDAP server that can authenticate administrator or user logins.
- Select the LDAP server configuration when you add administrator users or create user groups.
Before you begin:
- You must know the IP address or FQDN and the port used to access the LDAP server. You must know the CN and DN where user credentials are stored on the LDAP server.
- You must have Read-Write permission for System settings.
To select an LDAP server:
- Go to User Authentication > Remote Server.
- Click the LDAP Server tab.
- Click Create New to display the configuration editor.
- Complete the configuration as described in LDAP server configuration.
- Click Test Connectivity to validate the configuration.
- Save the configuration.
Settings | Guidelines |
---|---|
Name |
Configuration name. Valid characters are After you initially save the configuration, you cannot edit the name. |
Server |
IP address or FQDN of the LDAP server. |
Port |
Port number for the server. Port 389 is typically used for non-secured connections or for StartTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections. |
Common Name Identifier |
Enter the identifier for the common name (CN) attribute (also called the CNID) whose value is the user name. Identifiers vary based on the schema of your LDAP directory. This is often For example, in a default OpenLDAP directory, if a user object is then the CNID is |
Specifies the Base DN from which the LDAP query starts. This DN is the full path in the directory to the user account objects. For example:
or
You can use the Fetch DN function to get the entire Directory Information Tree, and select the DN of the LDAP query starting entry. Note: When using Windows Active Directory as the LDAP server, you may need to use regular bind for FortiADC to get access permission for LDAP entries when using the Fetch DN function. |
|
Bind Type |
|
User DN |
Available only when Bind Type is Regular. Enter the bind DN of an LDAP user account with permissions to query the Distinguished Name (see Distinguished Name). The maximum length is 256 characters. For example:
For Windows Active Directory, the UPN (User Principle Name) is often used instead of a bind DN (for example, This field can be optional if your LDAP server does not require the FortiADC appliance to authenticate when performing queries. |
Password |
Enter the password of the User DN. |
Secure Connection |
|
Available only when Secure Connection is set to LDAPS or STARTTLS, regardless of the Bind type being selected. Select a CA profile to identify the server certificate or you can leave the field blank. For details on how to import the CA profile, see Importing CAs. |
|
Group Authentication |
Available only when Bind Type is Regular. Enable to filter the query results, only allowing users to authenticate if they are members of the LDAP group that you define in the Group DN field. Users that are not members of that group are not allowed to authenticate. |
Group Type |
Available only when Bind Type is Regular. Indicate the schema of your LDAP directory as one of the following:
|
Group DN |
Available only when Bind Type is Regular. Enter the value of the group membership attribute that query results must have in order to be able to authenticate. For example:
The value may vary based on your directory's schema. For details, see Setting the LDAP group on the LDAP server. |
Setting the LDAP group on the LDAP server
Using Windows Active Directory
Set the LDAP group on the LDAP server for when the Group Type is Windows-AD.
- Open the Windows Active Directory Administrator Center and create a new group.
For example, add a new group named "fortinet". - Find the Group Distinguished Name. This value is used for the Group DN field of the FortiADC LDAP server configuration.
- Add the user to the group. Ensure you do not mark this group as the primary group for login user.
For example, add the User "fortiadc" to the Group "fortinet". - In FortiADC, configure the LDAP Group DN settings using the Distinguished Name value recorded from step 2.
FortiADC will check if{Common Name Identifier}={login admin name}
is the member of the group you specified.
For example, when logging into FortiADC with the admin name "fortiadc", FortiADC will check ifcn=fortiadc
is the member of the groupcn=fortinet,cn=users,dc=win2019,dc=com
with the search base dncn=users, dc=win2019, dc=com
. If the entry exists, FortiADC gets the DN of the entrycn=fortiadc, cn=users, dc=vm, dc=fadc
and binds this entry and its password to Windows AD.
Using OpenLDAP
Set the LDAP group on the LDAP server for when the Group Type is OpenLDAP. There are two methods to adding a user in a group.
Method 1:
Create a user with the attribute gidNumber
which points to the group.
Specify the GID number in the Group DN field in the FortiADC LDAP server configuration. For example: 10000
.
Method 2:
Create a group and add the user as the member. Prior to doing this, the memberof
overlay must be enabled.
The following is an example of OpenLDAP(sladp)
with MDB database installed on Ubuntu. You can reference the steps below using parameters applicable to your environment.
- Enable the
memberof
module with the following command:ldapmodify -Y EXTERNAL -H ldapi:/// <<EOL dn: cn=module{0},cn=config add: olcModuleLoad olcModuleLoad: memberof EOL
- Configure OpenLDAP to use the
memberof
module with the following command:ldapadd -Y EXTERNAL -H ldapi:/// <<EOL dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig olcOverlay: memberof EOL
- Restart
sladp
and check ifmemberof
module is loaded.service slapd restart slapcat -n 0 | grep olcModuleLoad olcModuleLoad: {0}back_mdb olcModuleLoad: {0}memberof
- Create the group with
objectClass
"groupOfNames
" and add the user member in it.
Specify the DN of the group in the Group DN field in the FortiADC LDAP server configuration.
For example:cn=fortinet,ou=group,dc=fadc,dc=com
Using FortiAuthenticator
Set the LDAP group on the LDAP server for when the Group Type is FortiAuthenticator.
- In FortiAuthenticator, create a group and add a user to that group.
In the example below, the group "fortinet" is created and the user "fortiadc" is a member of this group. - Add the group and the user to the LDAP tree.
- Specify the Group DN in the FortiADC LDAP server configuration.
In the example, the value iscn=fortinet,ou=fac,dc=example,dc=com
.
FAQs when using an LDAP authentication server
Why does LDAPS or StartTLS not work with Windows AD when a CA profile is selected?
When a CA profile is selected, the CN of the LDAP server certificate must be the same value as the Server field in the FortiADC LDAP configuration. Below is an example configuration for users using Windows AD with StartTLS.
The CN of the Windows AD certificate:
LDAP Configuration on FortiADC:
How do I debug "Test Connectivity" or "Fetch DN" fails when using Windows AD as the LDAP server?
You can install the LDAP Admin tool on the Windows server to verify whether the configuration on Windows AD is correct.