Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Importing users with a remote user sync rule

Create the user sync rule to import your users (computers) into FortiAuthenticator. You can configure this rule with an LDAP filter to match specific groups in Active Directory. For the LDAP username and certificate binding common name, use dNSHostName. This must match the CN of the actual issued certificate.

To configure a remote user sync rule:
  1. Go to Authentication > User Management > Remote User Sync Rules, and click Create New.
  2. Under Edit Remote LDAP User Synchronization Rule, set the following:
    1. Name: Enter a name for the rule, for example: AD-computers.
    2. Remote LDAP: Select the remote LDAP server you previously configured.
    3. Base distinguished name: Enter your base distinguished name, for example: DC=wl-cse,DC=net.
    4. LDAP filter: Select the LDAP filter which matches your specific group in Active Directory, for example: (&(objectClass=computer)(memberof=CN=LAB-Computers,OU=Computers,OU=LAB,DC=wl-cse,DC=net)).
  3. Under Synchronization Attributes, set the following:
    1. Token-based authentication sync priorities: Select None.
    2. Sync every: Select the sync frequency based on your preferences, for example: 1 hour(s).
    3. Sync asRemote LDAP User.
    4. User role for new user importsUser.
    5. Group to associate users with: Select your remote LDAP user group.
    6. Certificate binding CA: Select your CA for certificate binding.
  4. Under LDAP User Mapping Attributes, set the following:
    1. UsernamedNSHostName.
    2. Certificate binding common name: dNSHostName.
  5. Click OK.

Once the user sync rule has been created, run it to import your user (computer) account, and then verify the user was successfully created in Authentication > User Management > Remote Users and that the certificate binding is in place.

Importing users with a remote user sync rule

Create the user sync rule to import your users (computers) into FortiAuthenticator. You can configure this rule with an LDAP filter to match specific groups in Active Directory. For the LDAP username and certificate binding common name, use dNSHostName. This must match the CN of the actual issued certificate.

To configure a remote user sync rule:
  1. Go to Authentication > User Management > Remote User Sync Rules, and click Create New.
  2. Under Edit Remote LDAP User Synchronization Rule, set the following:
    1. Name: Enter a name for the rule, for example: AD-computers.
    2. Remote LDAP: Select the remote LDAP server you previously configured.
    3. Base distinguished name: Enter your base distinguished name, for example: DC=wl-cse,DC=net.
    4. LDAP filter: Select the LDAP filter which matches your specific group in Active Directory, for example: (&(objectClass=computer)(memberof=CN=LAB-Computers,OU=Computers,OU=LAB,DC=wl-cse,DC=net)).
  3. Under Synchronization Attributes, set the following:
    1. Token-based authentication sync priorities: Select None.
    2. Sync every: Select the sync frequency based on your preferences, for example: 1 hour(s).
    3. Sync asRemote LDAP User.
    4. User role for new user importsUser.
    5. Group to associate users with: Select your remote LDAP user group.
    6. Certificate binding CA: Select your CA for certificate binding.
  4. Under LDAP User Mapping Attributes, set the following:
    1. UsernamedNSHostName.
    2. Certificate binding common name: dNSHostName.
  5. Click OK.

Once the user sync rule has been created, run it to import your user (computer) account, and then verify the user was successfully created in Authentication > User Management > Remote Users and that the certificate binding is in place.