Importing users with a remote user sync rule
Create the user sync rule to import your users (computers) into FortiAuthenticator. You can configure this rule with an LDAP filter to match specific groups in Active Directory. For the LDAP username and certificate binding common name, use dNSHostName
. This must match the CN of the actual issued certificate.
To configure a remote user sync rule:
- Go to Authentication > User Management > Remote User Sync Rules, and click Create New.
- Under Edit Remote LDAP User Synchronization Rule, set the following:
- Name: Enter a name for the rule, for example:
AD-computers
. - Remote LDAP: Select the remote LDAP server you previously configured.
- Base distinguished name: Enter your base distinguished name, for example:
DC=wl-cse,DC=net
. - LDAP filter: Select the LDAP filter which matches your specific group in Active Directory, for example:
(&(objectClass=computer)(memberof=CN=LAB-Computers,OU=Computers,OU=LAB,DC=wl-cse,DC=net))
.
- Name: Enter a name for the rule, for example:
- Under Synchronization Attributes, set the following:
- Token-based authentication sync priorities: Select None.
- Sync every: Select the sync frequency based on your preferences, for example: 1 hour(s).
- Sync as: Remote LDAP User.
- User role for new user imports: User.
- Group to associate users with: Select your remote LDAP user group.
- Certificate binding CA: Select your CA for certificate binding.
- Under LDAP User Mapping Attributes, set the following:
- Username:
dNSHostName
. - Certificate binding common name:
dNSHostName
.
- Username:
- Click OK.
Once the user sync rule has been created, run it to import your user (computer) account, and then verify the user was successfully created in Authentication > User Management > Remote Users and that the certificate binding is in place.