Fortinet black logo

Cookbook

Configure the remote LDAP server and users

Copy Link
Copy Doc ID 502fabff-dbf1-11ea-96b9-00505692583a:736566
Download PDF

Configure the remote LDAP server and users

To provision the remote LDAP server:
  1. In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
  2. Under Create New LDAP Server, set the following:
    1. Name: Enter a name for the remote LDAP server, for example google.fortixpert.com.
    2. Primary server name/IP: ldap.google.com.
    3. Base distinguished name: Enter the base LDAP search directory, for example the G Suite domain: dc=fortixpert,dc=com.
    4. Bind type: Simple.
  3. Under Query Elements, set the following:
    1. Pre-defined templates: Select OpenLDAP/G Suite from the dropdown box, and click Apply.
  4. Under Secure Connection, enable the secure connection function, and set the following:
    1. Protocol: LDAPS.
    2. CA Certificate: Select the Google_RootCA_GSR2 certificate from the dropdown box.
    3. Use Client Certificate for TLS Authentication: Enabled.
    4. Client certificate: Select the G Suite_LDAP client certificate from the dropdown box.
  5. At the top of the page under Base distinguished name, select the directory lookup icon.
    Once the LDAPS connection is established you'll see the Directory of Groups and Users within G Suite. Select OK.
  6. Select OK again to save the LDAP server settings.
To import remote user accounts:
  1. Go to Authentication > User Management > Remote Users, and confirm that LDAP is selected at the top right of the page.
  2. Click Import.
  3. Under Import Remote LDAP Users, set the following:
    1. Remote LDAP server: Select your connector bound to ldap.google.com from the dropdown box.
    2. Action: Import Users.
  4. Click Go. A list of all the users within your G Suite directory will be displayed.
  5. Select the users you want to be able to connect to the wireless network using their G Suite account, and select OK to import the relevant user accounts.
  6. Under Synchronization Attributes, set the following:
    1. Token-based authentication sync priorities: None.
    2. Sync every: Select the sync frequency. In production environments, this should be set to 30 minutes or more depending on the number of users being synchronized.
    3. Sync as: Remote LDAP User.
    4. User role for new user imports: User.
  7. Leave all other settings in their default state, and click OK.
To create a new realm:
  1. Go to Authentication > User Management > Realms, and click Create New.
  2. Configure the following settings:
    1. Name: Enter a name for your realm, for example fortixpert.com.
    2. User source: Select the remote LDAP service from the dropdown box.
  3. Click OK.

Configure the remote LDAP server and users

To provision the remote LDAP server:
  1. In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
  2. Under Create New LDAP Server, set the following:
    1. Name: Enter a name for the remote LDAP server, for example google.fortixpert.com.
    2. Primary server name/IP: ldap.google.com.
    3. Base distinguished name: Enter the base LDAP search directory, for example the G Suite domain: dc=fortixpert,dc=com.
    4. Bind type: Simple.
  3. Under Query Elements, set the following:
    1. Pre-defined templates: Select OpenLDAP/G Suite from the dropdown box, and click Apply.
  4. Under Secure Connection, enable the secure connection function, and set the following:
    1. Protocol: LDAPS.
    2. CA Certificate: Select the Google_RootCA_GSR2 certificate from the dropdown box.
    3. Use Client Certificate for TLS Authentication: Enabled.
    4. Client certificate: Select the G Suite_LDAP client certificate from the dropdown box.
  5. At the top of the page under Base distinguished name, select the directory lookup icon.
    Once the LDAPS connection is established you'll see the Directory of Groups and Users within G Suite. Select OK.
  6. Select OK again to save the LDAP server settings.
To import remote user accounts:
  1. Go to Authentication > User Management > Remote Users, and confirm that LDAP is selected at the top right of the page.
  2. Click Import.
  3. Under Import Remote LDAP Users, set the following:
    1. Remote LDAP server: Select your connector bound to ldap.google.com from the dropdown box.
    2. Action: Import Users.
  4. Click Go. A list of all the users within your G Suite directory will be displayed.
  5. Select the users you want to be able to connect to the wireless network using their G Suite account, and select OK to import the relevant user accounts.
  6. Under Synchronization Attributes, set the following:
    1. Token-based authentication sync priorities: None.
    2. Sync every: Select the sync frequency. In production environments, this should be set to 30 minutes or more depending on the number of users being synchronized.
    3. Sync as: Remote LDAP User.
    4. User role for new user imports: User.
  7. Leave all other settings in their default state, and click OK.
To create a new realm:
  1. Go to Authentication > User Management > Realms, and click Create New.
  2. Configure the following settings:
    1. Name: Enter a name for your realm, for example fortixpert.com.
    2. User source: Select the remote LDAP service from the dropdown box.
  3. Click OK.