Configure the remote LDAP server and users
To provision the remote LDAP server:
- In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
- Under Create New LDAP Server, set the following:
- Name: Enter a name for the remote LDAP server, for example google.fortixpert.com.
- Primary server name/IP: ldap.google.com.
- Base distinguished name: Enter the base LDAP search directory, for example the G Suite domain: dc=fortixpert,dc=com.
- Bind type: Simple.
- Under Query Elements, set the following:
- Pre-defined templates: Select OpenLDAP/G Suite from the dropdown box, and click Apply.
- Under Secure Connection, enable the secure connection function, and set the following:
- Protocol: LDAPS.
- CA Certificate: Select the Google_RootCA_GSR2 certificate from the dropdown box.
- Use Client Certificate for TLS Authentication: Enabled.
- Client certificate: Select the G Suite_LDAP client certificate from the dropdown box.
- At the top of the page under Base distinguished name, select the directory lookup icon.
Once the LDAPS connection is established you'll see the Directory of Groups and Users within G Suite. Select OK.
- Select OK again to save the LDAP server settings.
To import remote user accounts:
- Go to Authentication > User Management > Remote Users, and confirm that LDAP is selected at the top right of the page.
- Click Import.
- Under Import Remote LDAP Users, set the following:
- Remote LDAP server: Select your connector bound to ldap.google.com from the dropdown box.
- Action: Import Users.
- Click Go. A list of all the users within your G Suite directory will be displayed.
- Select the users you want to be able to connect to the wireless network using their G Suite account, and select OK to import the relevant user accounts.
- Under Synchronization Attributes, set the following:
- Token-based authentication sync priorities: None.
- Sync every: Select the sync frequency. In production environments, this should be set to 30 minutes or more depending on the number of users being synchronized.
- Sync as: Remote LDAP User.
- User role for new user imports: User.
- Leave all other settings in their default state, and click OK.
To create a new realm:
- Go to Authentication > User Management > Realms, and click Create New.
- Configure the following settings:
- Name: Enter a name for your realm, for example fortixpert.com.
- User source: Select the remote LDAP service from the dropdown box.
- Click OK.