LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network.
In the LDAP protocol there are a number of operations a client can request such as search, compare, and add or delete an entry. Binding is the operation where the LDAP server authenticates the user. If the user is successfully authenticated, binding allows the user access to the LDAP server based on the user’s permissions.
|LDAP Server Settings|
|LDAP server certificate||Select the certificate that the LDAP server will present from the dropdown menu.|
|Certificate authority type||Select either Local CA or Trusted CA.|
|CA certificate that issued the server certificate||Select the CA certificate that issued the server certificate from the dropdown menu.|
|LDAP User Auto Provisioning||Enable this feature to specify how users can be automatically provisioned into LDAP.|
Select OK to apply any changes that you have made.
The LDAP tree defines the hierarchical organization of user account entries in the LDAP database. The FortiGate unit requesting authentication must be configured to address its request to the right part of the hierarchy.
An LDAP server’s hierarchy often reflects the hierarchy of the organization it serves. The root represents the organization itself, usually defined as Domain Component (DC), a DNS domain, such as
example.com (as the name contains a dot, it is written as two parts separated by a comma:
dc=example,dc=com). Additional levels of hierarchy can be added as needed; these include:
- Country (c)
- User Group (cn)
- Local User (uid)
- Organization (o)
- Organizational Unit (ou)
The user account entries relevant to user authentication will have element names such as UID or CN; the user's name. They can each be placed at their appropriate place in the hierarchy.
Complex LDAP hierarchies are more common in large organizations where users in different locations and departments have different access rights. For basic authenticated access to your office network or the Internet, a much simpler LDAP hierarchy is adequate.
When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part of the hierarchy where the user account record can be found. This is called the distinguished name (DN). In the above example, DN is
The authentication request must also specify the particular user account entry. Although this is often called the common name (CN), the identifier you use is not necessarily CN. On a computer network, it is appropriate to use UID, the person’s user ID, as that is the information that they will provide at logon.
When an object name includes a space, as in Test Users, you have to enclose the text with double-quotes. For example:
There are three common forms of DN entries:
The most common consists of one or more DC elements making up the DN. Each part of the domain has its own DC entry. This comes directly from the DNS entry for the organization. For example, for example.com, the DN entry is
An older method is to use the company name with a country entry. For example, for Example Inc. operating in the United States, the DN would be
o="Example, Inc.",c=US. This makes less sense for international companies.
|When you configure FortiGate units to use FortiAuthenticator as an LDAP server, you will specify the distinguished name that you created here. This identifies the correct LDAP structure to reference.|
- Go to Authentication > LDAP Service > Directory Tree.
dc=example,dc=comto edit the entry.
- In the Distinguished Name (DN) field, enter a new name (e.g. "
- Select OK to apply your changes.
If your domain name has multiple parts to it, such as shiny.widgets.example.com, each part of the domain should be entered as part of the DN, for example:
You can add a subordinate node at any level in the hierarchy as required.
- From the LDAP directory tree, select the green plus symbol next to the DN entry where you want to add the node.
The Create New LDAP Entry window opens.
- In the Class field, select the identifier to use.
- Select the required value from the dropdown menu, or select Create New to create a new entry of the selected class.
- Select OK to add the node.
For example, to add the ou=People node from the earlier example, select Organizational Unit (ou).
Nodes can be edited after creation by selecting the edit, or pencil, icon next to the node name.
You must add user account entries at the appropriate place in the LDAP tree. These users must already be defined in the FortiAuthenticator user database. See Adding a user.
- From the LDAP directory tree, expand nodes as needed to find the required node, then select the node’s green plus symbol.
- In the Class field, select User (uid).
- Select the required users in the Available Users box and move them to the Chosen Users box. If you want to add all local users, select Choose all below the users box.
- Select OK to add the user account to the tree.
You can verify your users were added by expanding the node to see their UIDs listed below it.
In the earlier example, you would do this on the
The list of available users is displayed. You can choose to display them alphabetically by either user group or user.
At times you may want to rearrange the hierarchy of the LDAP structure. For example a department may be moved from one country to another.
|While it is easy to move a branch in the LDAP tree, all systems that use this information will need to be updated to the new structure or they will not be able to authenticate users.|
- From the LDAP directory tree, select Expand All and find the branch that you want to move.
- Click and drag the branch from its current location to its new location
When the branch is hovered above a valid location, an arrow appears to the left of the current branch to indicate where the new branch will be inserted. It will be inserted below the entry with the arrow.
Adding entries to the directory tree involves placing the attribute at the proper place. However, when removing entries it is possible to remove multiple branches at one time.
|Take care not to remove more branches than you intend. Remember that all systems using this information will need to be updated to the new structure or they will not be able to authenticate users.|
- From the LDAP directory tree, select Expand All and find the branch that you want to remove.
- Select the red X to the right of the entry name.
- Select Yes, I’m sure to delete the entry.
If the deletion was successful there is a green check next to the successful message above the LDAP directory and the entry is removed from the tree.
You are prompted to confirm your deletion. Part of the prompt displays the message of all the entries that will be removed with this deletion. Ensure this is the level that you intend to delete.
When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate units to access the FortiAuthenticator as an LDAP server and authenticate users.
- On the FortiGate unit, go to User & Device > LDAP Servers and select Create New.
- Enter the following information:
Name Enter a name to identify the FortiAuthenticator LDAP server on the FortiGate unit. Server IP/Name Enter the IP address FQDN of FortiAuthenticator. Server Port Leave at default (389). Common Name Identifier Enter
uid, the user ID.
Distinguished Name Enter the LDAP node where the user account entries can be found. For example,
- Simple: Bind using a simple password authentication without a search.
- Anonymous: Bind using anonymous user search.
- Regular: Bind using username/password and then search.
You can use simple authentication if the user records all fall under one distinguished name (DN). If the users are under more than one DN, use the anonymous or regular type, which can search the entire LDAP database for the required username.
If your LDAP server requires authentication to perform searches, use the regular type and provide the Username and Password.
Secure Connection If you select Secure Connection, you must select LDAPS or STARTTLS protocol and the CA security certificate that verifies the FortiAuthenticator device's identity. If you select LDAPS protocol, the Server Port will change to 636.
- Optionally, use the Test Connectivity and Test User Credentials features. Select OK to apply your settings.
- Add the LDAP server to a user group. Specify that user group in identity-based security policies where you require authentication.