Fortinet black logo

Handbook

Using an LDAP authentication server

Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over a network. When using LDAP, authentication clients may send “Bind” messages to servers for authentication. Depending on the circumstances, clients may send different kinds of “Bind” messages.

LDAP bind messages

In a server load-balancing client authentication or admin authentication scenario, FortiADC sends binding request to the LDAP server for client authentication. Once a client is successfully authenticated, he or she can then access the LDAP server based on his or her privileges. There are three bind types: simple, anonymous, and regular.

Simple bind

Simple bind means binding with a client's full name.

Anonymous bind

Anonymous bind should be used only if the LDAP server allows it. The LDAP server searches for the client in the entire sub-branches, starting from the specified DN. This bind has two steps: First, FortiADC sends the binding request to specify the search entry point. Then, it sends a search request with the specified scope and filter to the LDAP server to find the given client.

Regular bind

Regular bind can be used when anonymous binding is not allowed on the LDAP server. Regular bind is similar to anonymous bind. The difference is in the initial step. Unlike anonymous bind, regular bind requires that FortiADC get the access privileges on the LDAP server with the specified User DN in the first step. After it has obtained the authorization, FortiADC can then move on to the second step as it does in anonymous bind.

LDAP over SSL (LDAPS) and StartTLS

LDAP over SSL (LDAPS) and StartTLS are used to encrypt LDAP messages in the authentication process.

LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. StartTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection.

Configuring LDAP binding

You can use an LDAP authentication server to authenticate administrator or destination server user log-ins.

Basic steps:
  1. Configure a connection to an LDAP server that can authenticate administrator or user logins.
  2. Select the LDAP server configuration when you add administrator users or create user groups.
Before you begin:
  • You must know the IP address or FQDN and the port used to access the LDAP server. You must know the CN and DN where user credentials are stored on the LDAP server.
  • You must have Read-Write permission for System settings.
To select an LDAP server:
  1. Go to User Authentication > Remote Server.
  2. Click the LDAP Server tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in LDAP server configuration.
  5. Click Test Connectivity to validate the configuration.
  6. Save the configuration.

LDAP server configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Server

IP address or FQDN of the LDAP server.
Note: When enabling LDAPS or StartTLS, please use the common name (CN) of the LDAP server certificate in this field if you want to identify the Server with the CA profile (see CA Profile).

Port

Port number for the server.

Port 389 is typically used for non-secured connections or for StartTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

Common Name Identifier

Enter the identifier for the common name (CN) attribute (also called the CNID) whose value is the user name.

Identifiers vary based on the schema of your LDAP directory. This is often cn or uid. For Windows Active Directory, it is often the attribute sAMAccountName.

For example, in a default OpenLDAP directory, if a user object is uid=fortiadc,cn=users,dc=fortinet,dc=com

then the CNID is uid.

Distinguished Name

Specifies the Base DN from which the LDAP query starts. This DN is the full path in the directory to the user account objects.

For example:

ou=People,dc=example,dc=com

or

cn=users,dc=example,dc=com

You can use the Fetch DN function to get the entire Directory Information Tree, and select the DN of the LDAP query starting entry.

Note: When using Windows Active Directory as the LDAP server, you may need to use regular bind for FortiADC to get access permission for LDAP entries when using the Fetch DN function.

Bind Type

  • Simple—bind without user search. It can be used only if all the users belong to the same “branch”.
  • Anonymous—bind with user search. It can be used when users are in different “branches” and only if the server allows “anonymous search”.
  • Regular—bind with user search. It can be used when users are in different “branches” and the server does not allow “anonymous search”.

User DN

Available only when Bind Type is Regular.

Enter the bind DN of an LDAP user account with permissions to query the Distinguished Name (see Distinguished Name). The maximum length is 256 characters.

For example:

cn=fortiadc,cn=users,dc=fortinet,dc=com

For Windows Active Directory, the UPN (User Principle Name) is often used instead of a bind DN (for example, user@domain.com).

This field can be optional if your LDAP server does not require the FortiADC appliance to authenticate when performing queries.

Password

Enter the password of the User DN.

Secure Connection

  • Disable
  • LDAPS
  • STARTTLS

CA Profile

Available only when Secure Connection is set to LDAPS or STARTTLS, regardless of the Bind type being selected.

Select a CA profile to identify the server certificate or you can leave the field blank.

For details on how to import the CA profile, see Importing CAs.

Group Authentication

Available only when Bind Type is Regular.

Enable to filter the query results, only allowing users to authenticate if they are members of the LDAP group that you define in the Group DN field. Users that are not members of that group are not allowed to authenticate.

Group Type

Available only when Bind Type is Regular.

Indicate the schema of your LDAP directory as one of the following:

  • OpenLDAP — The directory uses a schema where each user object’s group membership is recorded in an attribute named gidNumber or a virtual attribute named memberOf.
  • Windows-AD — The directory uses a schema where each user object’s group membership is recorded in an attribute named memberOf.
  • FortiAuthenticator — Group membership attributes may have different names depending on the LDAP directory schema.
    The FortiADC appliance will use the group membership attribute that matches your directory's schema when querying the group DN.

Group DN

Available only when Bind Type is Regular.

Enter the value of the group membership attribute that query results must have in order to be able to authenticate.

For example:

ou=Groups,dc=example,dc=com or a group ID (GID) such as 100

The value may vary based on your directory's schema. For details, see Setting the LDAP group on the LDAP server.

Setting the LDAP group on the LDAP server

Using Windows Active Directory

Set the LDAP group on the LDAP server for when the Group Type is Windows-AD.

  1. Open the Windows Active Directory Administrator Center and create a new group.
    For example, add a new group named "fortinet".
  2. Find the Group Distinguished Name. This value is used for the Group DN field of the FortiADC LDAP server configuration.
  3. Add the user to the group. Ensure you do not mark this group as the primary group for login user.
    For example, add the User "fortiadc" to the Group "fortinet".
  4. In FortiADC, configure the LDAP Group DN settings using the Distinguished Name value recorded from step 2.

    FortiADC will check if {Common Name Identifier}={login admin name} is the member of the group you specified.
    For example, when logging into FortiADC with the admin name "fortiadc", FortiADC will check if cn=fortiadc is the member of the group cn=fortinet,cn=users,dc=win2019,dc=com with the search base dn cn=users, dc=win2019, dc=com. If the entry exists, FortiADC gets the DN of the entry cn=fortiadc, cn=users, dc=vm, dc=fadc and binds this entry and its password to Windows AD.

Using OpenLDAP

Set the LDAP group on the LDAP server for when the Group Type is OpenLDAP. There are two methods to adding a user in a group.

Method 1:

Create a user with the attribute gidNumber which points to the group.
Specify the GID number in the Group DN field in the FortiADC LDAP server configuration. For example: 10000.

Method 2:

Create a group and add the user as the member. Prior to doing this, the memberof overlay must be enabled.

The following is an example of OpenLDAP(sladp) with MDB database installed on Ubuntu. You can reference the steps below using parameters applicable to your environment.

  1. Enable the memberof module with the following command:
    ldapmodify -Y EXTERNAL -H ldapi:/// <<EOL
    
    
    dn: cn=module{0},cn=config
    add: olcModuleLoad
    olcModuleLoad: memberof
    EOL
    
  2. Configure OpenLDAP to use the memberof module with the following command:
    ldapadd -Y EXTERNAL -H ldapi:/// <<EOL
    dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
    objectClass: olcConfig
    objectClass: olcOverlayConfig
    olcOverlay: memberof
    EOL
    
  3. Restart sladp and check if memberof module is loaded.
    service slapd restart
    slapcat -n 0 | grep olcModuleLoad
    olcModuleLoad: {0}back_mdb
    olcModuleLoad: {0}memberof
    
  4. Create the group with objectClass "groupOfNames" and add the user member in it.
    Specify the DN of the group in the Group DN field in the FortiADC LDAP server configuration.
    For example: cn=fortinet,ou=group,dc=fadc,dc=com

Using FortiAuthenticator

Set the LDAP group on the LDAP server for when the Group Type is FortiAuthenticator.

  1. In FortiAuthenticator, create a group and add a user to that group.
    In the example below, the group "fortinet" is created and the user "fortiadc" is a member of this group.
  2. Add the group and the user to the LDAP tree.
  3. Specify the Group DN in the FortiADC LDAP server configuration.
    In the example, the value is cn=fortinet,ou=fac,dc=example,dc=com.

FAQs when using an LDAP authentication server

Why does LDAPS or StartTLS not work with Windows AD when a CA profile is selected?

When a CA profile is selected, the CN of the LDAP server certificate must be the same value as the Server field in the FortiADC LDAP configuration. Below is an example configuration for users using Windows AD with StartTLS.

The CN of the Windows AD certificate:

LDAP Configuration on FortiADC:

How do I debug "Test Connectivity" or "Fetch DN" fails when using Windows AD as the LDAP server?

You can install the LDAP Admin tool on the Windows server to verify whether the configuration on Windows AD is correct.

Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over a network. When using LDAP, authentication clients may send “Bind” messages to servers for authentication. Depending on the circumstances, clients may send different kinds of “Bind” messages.

LDAP bind messages

In a server load-balancing client authentication or admin authentication scenario, FortiADC sends binding request to the LDAP server for client authentication. Once a client is successfully authenticated, he or she can then access the LDAP server based on his or her privileges. There are three bind types: simple, anonymous, and regular.

Simple bind

Simple bind means binding with a client's full name.

Anonymous bind

Anonymous bind should be used only if the LDAP server allows it. The LDAP server searches for the client in the entire sub-branches, starting from the specified DN. This bind has two steps: First, FortiADC sends the binding request to specify the search entry point. Then, it sends a search request with the specified scope and filter to the LDAP server to find the given client.

Regular bind

Regular bind can be used when anonymous binding is not allowed on the LDAP server. Regular bind is similar to anonymous bind. The difference is in the initial step. Unlike anonymous bind, regular bind requires that FortiADC get the access privileges on the LDAP server with the specified User DN in the first step. After it has obtained the authorization, FortiADC can then move on to the second step as it does in anonymous bind.

LDAP over SSL (LDAPS) and StartTLS

LDAP over SSL (LDAPS) and StartTLS are used to encrypt LDAP messages in the authentication process.

LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. StartTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection.

Configuring LDAP binding

You can use an LDAP authentication server to authenticate administrator or destination server user log-ins.

Basic steps:
  1. Configure a connection to an LDAP server that can authenticate administrator or user logins.
  2. Select the LDAP server configuration when you add administrator users or create user groups.
Before you begin:
  • You must know the IP address or FQDN and the port used to access the LDAP server. You must know the CN and DN where user credentials are stored on the LDAP server.
  • You must have Read-Write permission for System settings.
To select an LDAP server:
  1. Go to User Authentication > Remote Server.
  2. Click the LDAP Server tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in LDAP server configuration.
  5. Click Test Connectivity to validate the configuration.
  6. Save the configuration.

LDAP server configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Server

IP address or FQDN of the LDAP server.
Note: When enabling LDAPS or StartTLS, please use the common name (CN) of the LDAP server certificate in this field if you want to identify the Server with the CA profile (see CA Profile).

Port

Port number for the server.

Port 389 is typically used for non-secured connections or for StartTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

Common Name Identifier

Enter the identifier for the common name (CN) attribute (also called the CNID) whose value is the user name.

Identifiers vary based on the schema of your LDAP directory. This is often cn or uid. For Windows Active Directory, it is often the attribute sAMAccountName.

For example, in a default OpenLDAP directory, if a user object is uid=fortiadc,cn=users,dc=fortinet,dc=com

then the CNID is uid.

Distinguished Name

Specifies the Base DN from which the LDAP query starts. This DN is the full path in the directory to the user account objects.

For example:

ou=People,dc=example,dc=com

or

cn=users,dc=example,dc=com

You can use the Fetch DN function to get the entire Directory Information Tree, and select the DN of the LDAP query starting entry.

Note: When using Windows Active Directory as the LDAP server, you may need to use regular bind for FortiADC to get access permission for LDAP entries when using the Fetch DN function.

Bind Type

  • Simple—bind without user search. It can be used only if all the users belong to the same “branch”.
  • Anonymous—bind with user search. It can be used when users are in different “branches” and only if the server allows “anonymous search”.
  • Regular—bind with user search. It can be used when users are in different “branches” and the server does not allow “anonymous search”.

User DN

Available only when Bind Type is Regular.

Enter the bind DN of an LDAP user account with permissions to query the Distinguished Name (see Distinguished Name). The maximum length is 256 characters.

For example:

cn=fortiadc,cn=users,dc=fortinet,dc=com

For Windows Active Directory, the UPN (User Principle Name) is often used instead of a bind DN (for example, user@domain.com).

This field can be optional if your LDAP server does not require the FortiADC appliance to authenticate when performing queries.

Password

Enter the password of the User DN.

Secure Connection

  • Disable
  • LDAPS
  • STARTTLS

CA Profile

Available only when Secure Connection is set to LDAPS or STARTTLS, regardless of the Bind type being selected.

Select a CA profile to identify the server certificate or you can leave the field blank.

For details on how to import the CA profile, see Importing CAs.

Group Authentication

Available only when Bind Type is Regular.

Enable to filter the query results, only allowing users to authenticate if they are members of the LDAP group that you define in the Group DN field. Users that are not members of that group are not allowed to authenticate.

Group Type

Available only when Bind Type is Regular.

Indicate the schema of your LDAP directory as one of the following:

  • OpenLDAP — The directory uses a schema where each user object’s group membership is recorded in an attribute named gidNumber or a virtual attribute named memberOf.
  • Windows-AD — The directory uses a schema where each user object’s group membership is recorded in an attribute named memberOf.
  • FortiAuthenticator — Group membership attributes may have different names depending on the LDAP directory schema.
    The FortiADC appliance will use the group membership attribute that matches your directory's schema when querying the group DN.

Group DN

Available only when Bind Type is Regular.

Enter the value of the group membership attribute that query results must have in order to be able to authenticate.

For example:

ou=Groups,dc=example,dc=com or a group ID (GID) such as 100

The value may vary based on your directory's schema. For details, see Setting the LDAP group on the LDAP server.

Setting the LDAP group on the LDAP server

Using Windows Active Directory

Set the LDAP group on the LDAP server for when the Group Type is Windows-AD.

  1. Open the Windows Active Directory Administrator Center and create a new group.
    For example, add a new group named "fortinet".
  2. Find the Group Distinguished Name. This value is used for the Group DN field of the FortiADC LDAP server configuration.
  3. Add the user to the group. Ensure you do not mark this group as the primary group for login user.
    For example, add the User "fortiadc" to the Group "fortinet".
  4. In FortiADC, configure the LDAP Group DN settings using the Distinguished Name value recorded from step 2.

    FortiADC will check if {Common Name Identifier}={login admin name} is the member of the group you specified.
    For example, when logging into FortiADC with the admin name "fortiadc", FortiADC will check if cn=fortiadc is the member of the group cn=fortinet,cn=users,dc=win2019,dc=com with the search base dn cn=users, dc=win2019, dc=com. If the entry exists, FortiADC gets the DN of the entry cn=fortiadc, cn=users, dc=vm, dc=fadc and binds this entry and its password to Windows AD.

Using OpenLDAP

Set the LDAP group on the LDAP server for when the Group Type is OpenLDAP. There are two methods to adding a user in a group.

Method 1:

Create a user with the attribute gidNumber which points to the group.
Specify the GID number in the Group DN field in the FortiADC LDAP server configuration. For example: 10000.

Method 2:

Create a group and add the user as the member. Prior to doing this, the memberof overlay must be enabled.

The following is an example of OpenLDAP(sladp) with MDB database installed on Ubuntu. You can reference the steps below using parameters applicable to your environment.

  1. Enable the memberof module with the following command:
    ldapmodify -Y EXTERNAL -H ldapi:/// <<EOL
    
    
    dn: cn=module{0},cn=config
    add: olcModuleLoad
    olcModuleLoad: memberof
    EOL
    
  2. Configure OpenLDAP to use the memberof module with the following command:
    ldapadd -Y EXTERNAL -H ldapi:/// <<EOL
    dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
    objectClass: olcConfig
    objectClass: olcOverlayConfig
    olcOverlay: memberof
    EOL
    
  3. Restart sladp and check if memberof module is loaded.
    service slapd restart
    slapcat -n 0 | grep olcModuleLoad
    olcModuleLoad: {0}back_mdb
    olcModuleLoad: {0}memberof
    
  4. Create the group with objectClass "groupOfNames" and add the user member in it.
    Specify the DN of the group in the Group DN field in the FortiADC LDAP server configuration.
    For example: cn=fortinet,ou=group,dc=fadc,dc=com

Using FortiAuthenticator

Set the LDAP group on the LDAP server for when the Group Type is FortiAuthenticator.

  1. In FortiAuthenticator, create a group and add a user to that group.
    In the example below, the group "fortinet" is created and the user "fortiadc" is a member of this group.
  2. Add the group and the user to the LDAP tree.
  3. Specify the Group DN in the FortiADC LDAP server configuration.
    In the example, the value is cn=fortinet,ou=fac,dc=example,dc=com.

FAQs when using an LDAP authentication server

Why does LDAPS or StartTLS not work with Windows AD when a CA profile is selected?

When a CA profile is selected, the CN of the LDAP server certificate must be the same value as the Server field in the FortiADC LDAP configuration. Below is an example configuration for users using Windows AD with StartTLS.

The CN of the Windows AD certificate:

LDAP Configuration on FortiADC:

How do I debug "Test Connectivity" or "Fetch DN" fails when using Windows AD as the LDAP server?

You can install the LDAP Admin tool on the Windows server to verify whether the configuration on Windows AD is correct.