Fortinet white logo
Fortinet white logo

Handbook

Configuring LDAP authentication

Configuring LDAP authentication

You can configure administrator authentication against a Lightweight Directory Access Protocol (LDAP) server.

After you have completed the LDAP server configuration and enabled it, you can select it when you create an administrator user on the System > Admin > Administrators page. On that page, you can specify the username but not the password. You can also specify the SPP assignment, trusted host list, and access profile for that user.

If LDAP is enabled, when a user logs in, an authentication request is made to the remote LDAP server. If authentication succeeds, and the user has a configuration on the System > Admin > Administrators page, the SPP assignment, trusted host list, and access profile are applied. If the user does not have a configuration on the System > Admin > Administrators page, these assignments are obtained from the Default Access Strategy settings described in LDAP server configuration guidelines table.

Before you begin:

  • You must have Read-Write permission for System settings.
  • You must work with your LDAP administrator to determine an appropriate DN for FortiDDoS access. The LDAP administrator might need to provision a special group.
To configure an LDAP server:
  1. Go to System > Authentication > LDAP.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Note: Using the Test Connectivity button with incorrectly-configured LDAP settings will result in a long period without a response. Configure LDAP carefully.


LDAP server configuration page

LDAP configuration guidelines

Settings Guidelines
Enable Unique name. No spaces or special characters.
LDAP Server Name/IP IP address of the LDAP server.
Port LDAP port. Default is TCP 389 for LDAP and STARTTLS, and TCP 636 for LDAPS.

Note: FortiDDoS does not support CLDAP over UDP.
Common Name Identifier Common name (cn) attribute for the LDAP record.
For example: cn or uid.
Distinguished Name Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example:
cn=John%20Doe,dc=example,dc=com

Most likely, you must work with your LDAP administrator to know the appropriate DN to use for FortiDDoS access. The LDAP administrator might need to provision a special group.
Bind Type Select the Bind Type:
  • Simple - bind without user search. It can be used only if all the users belong to the same 'branch'.
  • Anonymous - bind with user search. It can be used when users are in different 'branches' and only if the server allows 'anonymous search'.
  • Regular - bind with user search. It can be used when users are in different 'branches' and the server does not allow 'anonymous search'.
User DN Enter the user Distinguished Name. (Available only when Bind Type is 'Regular'.)
Password Enter the password for the user. (Available only when Bind Type is 'Regular'.)
Secure Select the Secure type:
  • Disable
  • LDAPS
  • STARTTLS

LDAP over SSL (LDAPS) and StartTLS are used to encrypt LDAP messages in the authentication process. LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. StartTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection.
Trusted Hosts

Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/32 and/or 2001:0db8:85a3:::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter 0.0.0.0/0 and/or ::/0

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

Access Profile Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

Test Connectivity

Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration.
Username Username for the connectivity test.
Password Corresponding password.
Note: FortiDDoS GUI may become unresponsive if any of the above configuration values (LDAP Server Configuration or Test Connectivity) are incorrect. In this case, refresh the browser to reconnect to the GUI.

To configure LDAP authentication using the CLI:

config system central authentication LDAP
  set state enable
  set server 172.30.153.101
  set cnid uid
  set dn ou=users,dc=fddos,dc=com
  set is-system-admin yes
  set dft-accprofile super_admin_prof
  set bind-type regular
  set User-DN cn=admin,dc=fddos,dc=com
  set password ENC KbfLKhxF2uEdh/uTVjeFaBHd5HuPxBLzeAdPW8yuziQd2lSL3ii2+tKae3P9HGACj9CxAbw9jR/h4QI+x4KgGGCDcpsFWf9LlOZRmIIMSbCIipQo
end						
If you initially set is-system-admin to 'no', but later want to change, you must first change dft-domain to SPP-0 and commit it. Then configure the system admin setting.
For example:

config system authentication LDAP
  set dft-domain SPP-0
end
config system authentication LDAP
  set is-system-admin yes
end

Configuring LDAP authentication

Configuring LDAP authentication

You can configure administrator authentication against a Lightweight Directory Access Protocol (LDAP) server.

After you have completed the LDAP server configuration and enabled it, you can select it when you create an administrator user on the System > Admin > Administrators page. On that page, you can specify the username but not the password. You can also specify the SPP assignment, trusted host list, and access profile for that user.

If LDAP is enabled, when a user logs in, an authentication request is made to the remote LDAP server. If authentication succeeds, and the user has a configuration on the System > Admin > Administrators page, the SPP assignment, trusted host list, and access profile are applied. If the user does not have a configuration on the System > Admin > Administrators page, these assignments are obtained from the Default Access Strategy settings described in LDAP server configuration guidelines table.

Before you begin:

  • You must have Read-Write permission for System settings.
  • You must work with your LDAP administrator to determine an appropriate DN for FortiDDoS access. The LDAP administrator might need to provision a special group.
To configure an LDAP server:
  1. Go to System > Authentication > LDAP.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Note: Using the Test Connectivity button with incorrectly-configured LDAP settings will result in a long period without a response. Configure LDAP carefully.


LDAP server configuration page

LDAP configuration guidelines

Settings Guidelines
Enable Unique name. No spaces or special characters.
LDAP Server Name/IP IP address of the LDAP server.
Port LDAP port. Default is TCP 389 for LDAP and STARTTLS, and TCP 636 for LDAPS.

Note: FortiDDoS does not support CLDAP over UDP.
Common Name Identifier Common name (cn) attribute for the LDAP record.
For example: cn or uid.
Distinguished Name Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example:
cn=John%20Doe,dc=example,dc=com

Most likely, you must work with your LDAP administrator to know the appropriate DN to use for FortiDDoS access. The LDAP administrator might need to provision a special group.
Bind Type Select the Bind Type:
  • Simple - bind without user search. It can be used only if all the users belong to the same 'branch'.
  • Anonymous - bind with user search. It can be used when users are in different 'branches' and only if the server allows 'anonymous search'.
  • Regular - bind with user search. It can be used when users are in different 'branches' and the server does not allow 'anonymous search'.
User DN Enter the user Distinguished Name. (Available only when Bind Type is 'Regular'.)
Password Enter the password for the user. (Available only when Bind Type is 'Regular'.)
Secure Select the Secure type:
  • Disable
  • LDAPS
  • STARTTLS

LDAP over SSL (LDAPS) and StartTLS are used to encrypt LDAP messages in the authentication process. LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. StartTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection.
Trusted Hosts

Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/32 and/or 2001:0db8:85a3:::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter 0.0.0.0/0 and/or ::/0

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

Access Profile Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

Test Connectivity

Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration.
Username Username for the connectivity test.
Password Corresponding password.
Note: FortiDDoS GUI may become unresponsive if any of the above configuration values (LDAP Server Configuration or Test Connectivity) are incorrect. In this case, refresh the browser to reconnect to the GUI.

To configure LDAP authentication using the CLI:

config system central authentication LDAP
  set state enable
  set server 172.30.153.101
  set cnid uid
  set dn ou=users,dc=fddos,dc=com
  set is-system-admin yes
  set dft-accprofile super_admin_prof
  set bind-type regular
  set User-DN cn=admin,dc=fddos,dc=com
  set password ENC KbfLKhxF2uEdh/uTVjeFaBHd5HuPxBLzeAdPW8yuziQd2lSL3ii2+tKae3P9HGACj9CxAbw9jR/h4QI+x4KgGGCDcpsFWf9LlOZRmIIMSbCIipQo
end						
If you initially set is-system-admin to 'no', but later want to change, you must first change dft-domain to SPP-0 and commit it. Then configure the system admin setting.
For example:

config system authentication LDAP
  set dft-domain SPP-0
end
config system authentication LDAP
  set is-system-admin yes
end