Fortinet white logo
Fortinet white logo

Administration Guide

LDAP

LDAP

If you have existing LDAP servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote LDAP servers.

When entering the remote LDAP server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.

note icon

FortiAuthenticator supports multiple Windows AD server forests, with a maximum of 20 remote LDAP servers with Windows AD enabled.

To view all information about your multiple servers, go to Monitor > Authentication > Windows AD.

To add a remote LDAP server entry:
  1. Go to Authentication > Remote Auth. Servers > LDAP and select Create New. The Create New LDAP Server window opens.
  2. Enter the following information.
    NameEnter the name for the remote LDAP server on FortiAuthenticator.
    Primary server name/IP

    Enter the IP address or FQDN for this remote server.

    Enter the IP address only when Use Zero Trust tunnel is enabled.

    PortEnter the port number.

    Use Zero Trust tunnel

    Enable to use a zero trust tunnel. From the dropdown, select a zero trust tunnel.

    Use secondary server

    Select to use a secondary server. The secondary server name/IP and port must be entered.

    Limitations of the secondary LDAP server
    • The secondary LDAP server is only used for user authentication.

    • The secondary LDAP server cannot be used for domain joining, i.e., domain joining may fail when the primary server is unavailable.

    • The secondary LDAP server cannot be used for FSSO related activities, e.g., group lookup.

    See AD server authentication.

    Secondary server name/IP

    Enter the IP address or FQDN for the secondary remote server. Enter the IP address only when Use Zero Trust tunnel is enabled.

    This option is only available when Use secondary server is selected.

    The secondary IP address/FQDN is used exclusively as redundancy for the queries to the LDAP protocol.

    It is not used as redundancy for Windows AD authentication (NTLM).

    The NTLM authentication redundancy can be accomplished by using FQDN for the primary and multiple AD server IP addresses registered to that FQDN in the DNS infrastructure.

    Secondary port

    Enter the port number for the secondary server. This option is only available when Use secondary server is selected.

    Use Zero Trust tunnel

    Enable to use a zero trust tunnel for the secondary server. From the dropdown, select a zero trust tunnel. This option is only available when Use secondary server is selected.

    Note:FortiAuthenticator uses the zero trust tunnel associated with the secondary server only when it is unable to reach the primary server (zero trust enabled).

    Base distinguished nameEnter the base distinguished name for the server using the correct X.500 or LDAP format. The maximum length of the DN is 512 characters.
    You can also select the browse button to view and select the DN on the LDAP server.
    Bind Type

    The Bind Type determines how the authentication information is sent to the server. Select the bind type required by the remote LDAP server.

    • Simple: bind using the user’s password which is sent to the server in plaintext without a search.
    • Regular: bind using the user’s DN and password and then search.

    If the user records fall under one directory, you can use Simple bind type. But Regular is required to allow a search for a user across multiple domains.

    Server type

    Select a LDAP server type and click Apply template to populate the Query Elements fields with the selected template: Microsoft Active Directory, OpenLDAP, or Novell eDirectory

    Add supported domain names (used only if this is not a Windows Active Directory server)Select to enter multiple domain names for remote LDAP server configurations. The FortiAuthenticator can then identify the domain that users on the LDAP server belong to.
  3. If you want to want to import a specific LDAP system's template, under Query Elements, enter the following:
    User object classThe type of object class to search for a user name search. The default is person.
    Username attributeThe LDAP attribute that contains the user name. The default is sAMAccountName.
    Group object classThe type of object class to search for a group name search. The default is group.
    Obtain group memberships fromThe LDAP attribute (either user or group) used to obtain group membership. The default is User attribute.
    Group membership attributeUsed as the attribute to search for membership of users or groups in other groups.
    Force use of administrator account for group membership lookups Enabling this feature prevents non-admin users from searching their own attributes even after successful binding. This feature has been implemented to enhance Oracle-based ODSEE LDAP support.
  4. If you want to have a secure connection between FortiAuthenticator and the remote LDAP server, under Secure Connection, select Enable, then enter the following:
    ProtocolSelect LDAPS or STARTLS as the LDAP server requires.

    Trusted CA

    Select Single or All Trusted CA:

    • Single: only one specific CA is trusted.

    • All Trusted: allow all configured trusted CAs (local and trusted).

    CA CertificateSelect the CA certificate that verifies the server certificate from the dropdown menu.

    Use Client Certificate for TLS Authentication

    Enable to select a client certificate to use to authenticate a TLS connection with the secure remote LDAP server.

  5. If you want to authenticate users using MSCHAP2 PEAP in an Active Directory environment, enable Windows Active Directory Domain Authentication, then enter the required Windows AD Domain Controller information.
    Kerberos realm nameEnter the domain’s DNS name in uppercase letters.
    Domain NetBIOS nameEnter the domain’s DNS prefix in uppercase letters.
    FortiAuthenticator NetBIOS nameEnter the NetBIOS name that identifies FortiAuthenticator as a domain member.
    Administrator username

    Enter the name of the user account that's used to associate FortiAuthenticator with the domain. This user must have at least domain user privileges.

    To configure an Active Directory user with the minimum privileges needed to join an AD domain, see Configure minimum privilege Windows AD user account.

    Administrator passwordEnter the administrator account’s password.

    Allow Trusted Domain

    Enable to allow trusted domain.

    Preferred Domain Controller Hostname

    Enter the preferred domain controller hostname.

  6. When you are finished here, go to Authentication > RADIUS Service > Clients to choose whether authentication is available for all Windows AD users or only for Windows AD users who belong to particular user groups that you select. See RADIUS service for more information.

  7. If you want to import remote LDAP users, under Remote LDAP Users, select either Import users or Import users by group memberships and click Go. A separate window opens where you may specify the LDAP server, apply filters, and attributes. Select User attributes to edit the following LDAP user mapping attributes:
    Username

    Enter the remote LDAP user's name.

    First nameEnter the attribute that specifies the user's first name. Set to givenName by default.
    Last nameEnter the attribute that specifies the user's last name. Set to sn by default.
    EmailEnter the attribute that specifies the user's email address. Set to mail by default.
    PhoneEnter the attribute that specifies the user's number. Set to telephoneNumber by default.
    Mobile numberEnter the attribute that specifies the user's mobile number. Set to mobile by default.
    FTK-200 serial numberEnter the remote LDAP user's FortiToken serial number.
    Certificate binding common name

    Enter the remote LDAP user's certificate-binding CN. When this field is populated, the Certificate binding CA must also be specified.

    Certificate binding CA

    Local or trusted CAs to apply for the remote LDAP user. Must be specified if the Certificate binding common name is populated.

    Display name

    Enter the attribute that specifies the user's display name. Set to displayName by default.

    Company

    Enter the attribute that specifies the user's company. Set to company by default.

    Department

    Enter the attribute that specifies the user's department. Set to department by default.

    Title

    Enter the attribute that specifies the title. Set to title by default.

  8. Select Save to apply your changes.
  9. You can now add remote LDAP users, as described in Remote users.

Configure minimum privilege Windows AD user account

To respect the principle of least privilege, a domain administrator account should not be used to associate FortiAuthenticator with a Windows AD domain. Instead, a non-administrator account can be configured with the minimum privileges necessary to successfully join a Windows AD domain. To do this, create a user account in the applicable hierarchy of your Active Directory, then delegate the ability to manage computer objects to the user account.

  1. In the Active Directory, create a user account with the following options selected:
    • User cannot change password
    • Password never expires
  2. In Active Directory Users and Computers, right-click the container under which you want the computers added, then click Delegate Control.
    The Delegation of Control Wizard opens.
  3. Click Next.
  4. Click Add, then enter the user account created in step 1.
  5. Click Next.
  6. Select Create custom task to delegate, then click Next.
  7. Select Only the following objects in the folder, and then select Computer objects.
  8. Select Create selected objects in this folder, then click Next.
  9. Under Permissions, select Create All Child Objects, Write All Properties, and Change password.
  10. Click Next, then click Finish.

Remote LDAP password change

The current password has to be provided to change a password when an account joins the domain.

Windows AD users can conveniently change their passwords without provision changes being made to the network by a Windows AD system administrator. There are three ways FortiAuthenticator supports a password change: RADIUS login, GUI user login, and GUI user portal.

RADIUS login:

For the method to work, all of the following conditions must be met:

  • FortiAuthenticator has joined the Windows AD domain.
  • RADIUS client has been configured to "Use Windows AD domain authentication".
  • RADIUS authentication request uses MS-CHAPv2.
  • RADIUS client must also support MS-CHAPv2 password change.

A "change password" response is produced that FortiAuthenticator will recognize, which allows cooperation between the NAS and the Windows AD server that will result in a password change.

GUI user login:

For this method to work, one of the following conditions must be met:

  • FortiAuthenticator has joined the Windows AD domain
  • Secure LDAP is enabled and the LDAP admin (i.e. regular bind) has the permissions to reset user passwords

You must log in via the GUI portal. FortiAuthenticator will validate the user password against a Windows AD server. The Windows AD server returns with a change password response. If that happens, the user is prompted to enter a new password.

GUI user portal:

For this method to work, one of the following conditions must be met:

  • FortiAuthenticator has joined the Windows AD domain.
  • Secure LDAP is enabled.

After successfully logging into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal.

Remote LDAP password reset

Password reset, i.e., setting a new password without providing the old password, is only allowed over LDAPS and only if the LDAP admin, i.e., regular bind, has permission to reset the user passwords.

AD server authentication

FortiAuthenticator can use two modes of authentication to the AD server depending on how FortiAuthenticator is configured:

  1. LDAP based authentication (LDAP bind)
  2. Windows AD authentication (NTLM- FortiAuthenticator must join the domain)

In the case of 1:

  • The secondary IP address/FQDN is used if FortiAuthenticator fails to connect to the primary server.

  • If using an FQDN for the primary or secondary server, you can decide to do load-balancing/failover to multiple LDAP servers at the DNS level.

In the case of 2:

  • The secondary IP address/FQDN is never used.

  • If load-balancing/failover is required, it must be done at the DNS level.

LDAP

LDAP

If you have existing LDAP servers, you may choose to continue using them with FortiAuthenticator by configuring them as remote LDAP servers.

When entering the remote LDAP server information, if any information is missing or in the wrong format, error messages will highlight the problem for you.

note icon

FortiAuthenticator supports multiple Windows AD server forests, with a maximum of 20 remote LDAP servers with Windows AD enabled.

To view all information about your multiple servers, go to Monitor > Authentication > Windows AD.

To add a remote LDAP server entry:
  1. Go to Authentication > Remote Auth. Servers > LDAP and select Create New. The Create New LDAP Server window opens.
  2. Enter the following information.
    NameEnter the name for the remote LDAP server on FortiAuthenticator.
    Primary server name/IP

    Enter the IP address or FQDN for this remote server.

    Enter the IP address only when Use Zero Trust tunnel is enabled.

    PortEnter the port number.

    Use Zero Trust tunnel

    Enable to use a zero trust tunnel. From the dropdown, select a zero trust tunnel.

    Use secondary server

    Select to use a secondary server. The secondary server name/IP and port must be entered.

    Limitations of the secondary LDAP server
    • The secondary LDAP server is only used for user authentication.

    • The secondary LDAP server cannot be used for domain joining, i.e., domain joining may fail when the primary server is unavailable.

    • The secondary LDAP server cannot be used for FSSO related activities, e.g., group lookup.

    See AD server authentication.

    Secondary server name/IP

    Enter the IP address or FQDN for the secondary remote server. Enter the IP address only when Use Zero Trust tunnel is enabled.

    This option is only available when Use secondary server is selected.

    The secondary IP address/FQDN is used exclusively as redundancy for the queries to the LDAP protocol.

    It is not used as redundancy for Windows AD authentication (NTLM).

    The NTLM authentication redundancy can be accomplished by using FQDN for the primary and multiple AD server IP addresses registered to that FQDN in the DNS infrastructure.

    Secondary port

    Enter the port number for the secondary server. This option is only available when Use secondary server is selected.

    Use Zero Trust tunnel

    Enable to use a zero trust tunnel for the secondary server. From the dropdown, select a zero trust tunnel. This option is only available when Use secondary server is selected.

    Note:FortiAuthenticator uses the zero trust tunnel associated with the secondary server only when it is unable to reach the primary server (zero trust enabled).

    Base distinguished nameEnter the base distinguished name for the server using the correct X.500 or LDAP format. The maximum length of the DN is 512 characters.
    You can also select the browse button to view and select the DN on the LDAP server.
    Bind Type

    The Bind Type determines how the authentication information is sent to the server. Select the bind type required by the remote LDAP server.

    • Simple: bind using the user’s password which is sent to the server in plaintext without a search.
    • Regular: bind using the user’s DN and password and then search.

    If the user records fall under one directory, you can use Simple bind type. But Regular is required to allow a search for a user across multiple domains.

    Server type

    Select a LDAP server type and click Apply template to populate the Query Elements fields with the selected template: Microsoft Active Directory, OpenLDAP, or Novell eDirectory

    Add supported domain names (used only if this is not a Windows Active Directory server)Select to enter multiple domain names for remote LDAP server configurations. The FortiAuthenticator can then identify the domain that users on the LDAP server belong to.
  3. If you want to want to import a specific LDAP system's template, under Query Elements, enter the following:
    User object classThe type of object class to search for a user name search. The default is person.
    Username attributeThe LDAP attribute that contains the user name. The default is sAMAccountName.
    Group object classThe type of object class to search for a group name search. The default is group.
    Obtain group memberships fromThe LDAP attribute (either user or group) used to obtain group membership. The default is User attribute.
    Group membership attributeUsed as the attribute to search for membership of users or groups in other groups.
    Force use of administrator account for group membership lookups Enabling this feature prevents non-admin users from searching their own attributes even after successful binding. This feature has been implemented to enhance Oracle-based ODSEE LDAP support.
  4. If you want to have a secure connection between FortiAuthenticator and the remote LDAP server, under Secure Connection, select Enable, then enter the following:
    ProtocolSelect LDAPS or STARTLS as the LDAP server requires.

    Trusted CA

    Select Single or All Trusted CA:

    • Single: only one specific CA is trusted.

    • All Trusted: allow all configured trusted CAs (local and trusted).

    CA CertificateSelect the CA certificate that verifies the server certificate from the dropdown menu.

    Use Client Certificate for TLS Authentication

    Enable to select a client certificate to use to authenticate a TLS connection with the secure remote LDAP server.

  5. If you want to authenticate users using MSCHAP2 PEAP in an Active Directory environment, enable Windows Active Directory Domain Authentication, then enter the required Windows AD Domain Controller information.
    Kerberos realm nameEnter the domain’s DNS name in uppercase letters.
    Domain NetBIOS nameEnter the domain’s DNS prefix in uppercase letters.
    FortiAuthenticator NetBIOS nameEnter the NetBIOS name that identifies FortiAuthenticator as a domain member.
    Administrator username

    Enter the name of the user account that's used to associate FortiAuthenticator with the domain. This user must have at least domain user privileges.

    To configure an Active Directory user with the minimum privileges needed to join an AD domain, see Configure minimum privilege Windows AD user account.

    Administrator passwordEnter the administrator account’s password.

    Allow Trusted Domain

    Enable to allow trusted domain.

    Preferred Domain Controller Hostname

    Enter the preferred domain controller hostname.

  6. When you are finished here, go to Authentication > RADIUS Service > Clients to choose whether authentication is available for all Windows AD users or only for Windows AD users who belong to particular user groups that you select. See RADIUS service for more information.

  7. If you want to import remote LDAP users, under Remote LDAP Users, select either Import users or Import users by group memberships and click Go. A separate window opens where you may specify the LDAP server, apply filters, and attributes. Select User attributes to edit the following LDAP user mapping attributes:
    Username

    Enter the remote LDAP user's name.

    First nameEnter the attribute that specifies the user's first name. Set to givenName by default.
    Last nameEnter the attribute that specifies the user's last name. Set to sn by default.
    EmailEnter the attribute that specifies the user's email address. Set to mail by default.
    PhoneEnter the attribute that specifies the user's number. Set to telephoneNumber by default.
    Mobile numberEnter the attribute that specifies the user's mobile number. Set to mobile by default.
    FTK-200 serial numberEnter the remote LDAP user's FortiToken serial number.
    Certificate binding common name

    Enter the remote LDAP user's certificate-binding CN. When this field is populated, the Certificate binding CA must also be specified.

    Certificate binding CA

    Local or trusted CAs to apply for the remote LDAP user. Must be specified if the Certificate binding common name is populated.

    Display name

    Enter the attribute that specifies the user's display name. Set to displayName by default.

    Company

    Enter the attribute that specifies the user's company. Set to company by default.

    Department

    Enter the attribute that specifies the user's department. Set to department by default.

    Title

    Enter the attribute that specifies the title. Set to title by default.

  8. Select Save to apply your changes.
  9. You can now add remote LDAP users, as described in Remote users.

Configure minimum privilege Windows AD user account

To respect the principle of least privilege, a domain administrator account should not be used to associate FortiAuthenticator with a Windows AD domain. Instead, a non-administrator account can be configured with the minimum privileges necessary to successfully join a Windows AD domain. To do this, create a user account in the applicable hierarchy of your Active Directory, then delegate the ability to manage computer objects to the user account.

  1. In the Active Directory, create a user account with the following options selected:
    • User cannot change password
    • Password never expires
  2. In Active Directory Users and Computers, right-click the container under which you want the computers added, then click Delegate Control.
    The Delegation of Control Wizard opens.
  3. Click Next.
  4. Click Add, then enter the user account created in step 1.
  5. Click Next.
  6. Select Create custom task to delegate, then click Next.
  7. Select Only the following objects in the folder, and then select Computer objects.
  8. Select Create selected objects in this folder, then click Next.
  9. Under Permissions, select Create All Child Objects, Write All Properties, and Change password.
  10. Click Next, then click Finish.

Remote LDAP password change

The current password has to be provided to change a password when an account joins the domain.

Windows AD users can conveniently change their passwords without provision changes being made to the network by a Windows AD system administrator. There are three ways FortiAuthenticator supports a password change: RADIUS login, GUI user login, and GUI user portal.

RADIUS login:

For the method to work, all of the following conditions must be met:

  • FortiAuthenticator has joined the Windows AD domain.
  • RADIUS client has been configured to "Use Windows AD domain authentication".
  • RADIUS authentication request uses MS-CHAPv2.
  • RADIUS client must also support MS-CHAPv2 password change.

A "change password" response is produced that FortiAuthenticator will recognize, which allows cooperation between the NAS and the Windows AD server that will result in a password change.

GUI user login:

For this method to work, one of the following conditions must be met:

  • FortiAuthenticator has joined the Windows AD domain
  • Secure LDAP is enabled and the LDAP admin (i.e. regular bind) has the permissions to reset user passwords

You must log in via the GUI portal. FortiAuthenticator will validate the user password against a Windows AD server. The Windows AD server returns with a change password response. If that happens, the user is prompted to enter a new password.

GUI user portal:

For this method to work, one of the following conditions must be met:

  • FortiAuthenticator has joined the Windows AD domain.
  • Secure LDAP is enabled.

After successfully logging into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal.

Remote LDAP password reset

Password reset, i.e., setting a new password without providing the old password, is only allowed over LDAPS and only if the LDAP admin, i.e., regular bind, has permission to reset the user passwords.

AD server authentication

FortiAuthenticator can use two modes of authentication to the AD server depending on how FortiAuthenticator is configured:

  1. LDAP based authentication (LDAP bind)
  2. Windows AD authentication (NTLM- FortiAuthenticator must join the domain)

In the case of 1:

  • The secondary IP address/FQDN is used if FortiAuthenticator fails to connect to the primary server.

  • If using an FQDN for the primary or secondary server, you can decide to do load-balancing/failover to multiple LDAP servers at the DNS level.

In the case of 2:

  • The secondary IP address/FQDN is never used.

  • If load-balancing/failover is required, it must be done at the DNS level.