Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.5.0
    6.5.0
    6.4.0
    6.3.0
    6.2.0
    6.1.0
    6.0.0
    5.5.0

    Provision the remote LDAP server on FortiAuthenticator

    Provision the remote LDAP server on FortiAuthenticator

    To provision the remote LDAP server:
    1. In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
    2. In the Create New LDAP Server window, set the following:
      1. Name: Enter a name, for example azure.fortixpert.com.
      2. Primary server name/IP: Enter the Secure LDAP IP.
      3. Bind type: Regular.
      4. Username/Password: Enter a username and password that can access MS Azure DS to perform directory lookups.
      5. Base distinguished name: Leave blank.
    3. In the Query Elements section, set the following:
      1. Pre-defined templates: Select Microsoft Active Directory and click Apply.
      2. Force use of administrator account for group membership lookups: Enabled.
    4. In the Secure Connection section, set the following
      1. Secure Connection: Enabled.
      2. Protocol: LDAPS.
      3. CA Certificate: Select the Root CA certificate for the wildcard certificate that was uploaded to MS Azure to use with the Secure LDAP connector.
    5. Select the lookup icon next to Base distinguished name. Choose the base DN for your user accounts, for example DC=fortixpert,DC=com. Click OK.
    6. Click OK to save the remote LDAP server configuration.
    To import remote user accounts:
    1. Go to Authentication > User Management > Remote Users. Confirm LDAP is selected at the top of the page, and click Import.
    2. Under Import Remote LDAP User, complete the following:
      1. Remote LDAP Server: Select the Azure remote LDAP server.
      2. Action: Select Import users, and click Go to view a list of users within your Azure directory.
      3. Select the users you wish to be able to connect to the wireless network using their Azure based account.
    3. Click OK.
    To set up a remote user sync rule:
    1. Go to Authentication > User Management > Remote User Sync Rule, and click Create New.
    2. Under Create New Remote LDAP User Synchronization Rule, set the following:
      1. Name: Enter a name, for example Azure_Remote_Sync.
      2. Remote LDAP: Select your Azure remote LDAP server.
      3. Base distinguished name: This setting can be left as the default, for example DC=fortixpert,DC=com.
    3. Under Synchronization Attributes, set the following:
      1. Token-based authentication sync priorities: Enable None.
      2. Sync every: Select the sync frequency. In production environments, this should be set to 30 minutes or more depending on the number of users being synchronized.
      3. Sync as: Remote LDAP User.
      4. User role for new user imports: User.
    4. Leave all other settings in their default states, and click OK.
    To create a new realm:
    1. Go to Authentication > User Management > Realms, and click Create New.
    2. Under Create New Realm, set the following:
      1. Name: Enter the realm name, for example fortixpert.com.
      2. User source: Select the remote LDAP service from the dropdown box.
    3. Click OK.
    Previous
    Next

    Provision the remote LDAP server on FortiAuthenticator

    Provision the remote LDAP server on FortiAuthenticator

    To provision the remote LDAP server:
    1. In FortiAuthenticator, go to Authentication > Remote Auth. Servers > LDAP, and click Create New.
    2. In the Create New LDAP Server window, set the following:
      1. Name: Enter a name, for example azure.fortixpert.com.
      2. Primary server name/IP: Enter the Secure LDAP IP.
      3. Bind type: Regular.
      4. Username/Password: Enter a username and password that can access MS Azure DS to perform directory lookups.
      5. Base distinguished name: Leave blank.
    3. In the Query Elements section, set the following:
      1. Pre-defined templates: Select Microsoft Active Directory and click Apply.
      2. Force use of administrator account for group membership lookups: Enabled.
    4. In the Secure Connection section, set the following
      1. Secure Connection: Enabled.
      2. Protocol: LDAPS.
      3. CA Certificate: Select the Root CA certificate for the wildcard certificate that was uploaded to MS Azure to use with the Secure LDAP connector.
    5. Select the lookup icon next to Base distinguished name. Choose the base DN for your user accounts, for example DC=fortixpert,DC=com. Click OK.
    6. Click OK to save the remote LDAP server configuration.
    To import remote user accounts:
    1. Go to Authentication > User Management > Remote Users. Confirm LDAP is selected at the top of the page, and click Import.
    2. Under Import Remote LDAP User, complete the following:
      1. Remote LDAP Server: Select the Azure remote LDAP server.
      2. Action: Select Import users, and click Go to view a list of users within your Azure directory.
      3. Select the users you wish to be able to connect to the wireless network using their Azure based account.
    3. Click OK.
    To set up a remote user sync rule:
    1. Go to Authentication > User Management > Remote User Sync Rule, and click Create New.
    2. Under Create New Remote LDAP User Synchronization Rule, set the following:
      1. Name: Enter a name, for example Azure_Remote_Sync.
      2. Remote LDAP: Select your Azure remote LDAP server.
      3. Base distinguished name: This setting can be left as the default, for example DC=fortixpert,DC=com.
    3. Under Synchronization Attributes, set the following:
      1. Token-based authentication sync priorities: Enable None.
      2. Sync every: Select the sync frequency. In production environments, this should be set to 30 minutes or more depending on the number of users being synchronized.
      3. Sync as: Remote LDAP User.
      4. User role for new user imports: User.
    4. Leave all other settings in their default states, and click OK.
    To create a new realm:
    1. Go to Authentication > User Management > Realms, and click Create New.
    2. Under Create New Realm, set the following:
      1. Name: Enter the realm name, for example fortixpert.com.
      2. User source: Select the remote LDAP service from the dropdown box.
    3. Click OK.
    Previous
    Next