Directory tree overview
The LDAP tree defines the hierarchical organization of user account entries in the LDAP database. The FortiGate unit requesting authentication must be configured to address its request to the right part of the hierarchy.
An LDAP server’s hierarchy often reflects the hierarchy of the organization it serves. The root represents the organization itself, usually defined as Domain Component (DC), a DNS domain, such as example.com
(as the name contains a dot, it is written as two parts separated by a comma: dc=example,dc=com
). Additional levels of hierarchy can be added as needed; these include:
- Country (c)
- User Group (cn)
- Local User (uid)
- Organization (o)
- Organizational Unit (ou)
The user account entries relevant to user authentication will have element names such as UID or CN; the user's name. They can each be placed at their appropriate place in the hierarchy.
Complex LDAP hierarchies are more common in large organizations where users in different locations and departments have different access rights. For basic authenticated access to your office network or the Internet, a much simpler LDAP hierarchy is adequate.
The following is a simple example of an LDAP hierarchy in which the all user account entries reside at the OU level, just below DC.
When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part of the hierarchy where the user account record can be found. This is called the distinguished name (DN). In the above example, DN is ou=People,dc=example,dc=com
.
The authentication request must also specify the particular user account entry. Although this is often called the common name (CN), the identifier you use is not necessarily CN. On a computer network, it is appropriate to use UID, the person’s user ID, as that is the information that they will provide at logon.