Configuring LDAP authentication
You can configure administrator authentication against a Lightweight Directory Access Protocol (LDAP) server.
After you have completed the LDAP server configuration and enabled it, you can select it when you create an administrator user on the System > Admin > Administrators page. On that page, you can specify the username but not the password. You can also specify the trusted host list and Admin (access) profile for that user.
Once LDAP is enabled, a series of checks is performed locally and at the LDAP server level. The diagram below illustrates the LDAP authentication flow.
The FortiDDoS-F does not currently support STARTTLS nor Two Factor Authentication (2FA). |
Before you begin:
- You must have Read-Write permission for System settings.
- You must work with your LDAP administrator to determine an appropriate DN for FortiDDoS access. The LDAP administrator might need to provision a special group.
To configure an LDAP server:
- Go to System > Authentication > LDAP.
- Complete the configuration as described in the table below.
- Save the configuration.
Note: Using the Test Connectivity button with incorrectly-configured LDAP settings will result in a long period without a response. Configure LDAP carefully.
LDAP server configuration page
Settings | Guidelines |
---|---|
Status | Enable/disable LDAP Authentication. This must be enabled to configure the LDAP Server Configuration settings. |
LDAP Server Name/IP | IP address of the LDAP server. |
Port | LDAP port. Default is TCP 389 for LDAP and STARTTLS, and TCP 636 for LDAPS. Note: FortiDDoS does not support CLDAP over UDP. |
Common Name Identifier |
Common name (cn) attribute for the LDAP record. For example: cn or uid . |
Distinguished Name | Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example: cn=John%20Doe,dc=example,dc=com Most likely, you must work with your LDAP administrator to know the appropriate DN to use for FortiDDoS access. The LDAP administrator might need to provision a special group. |
Bind Type |
Select the Bind Type:
|
User DN | Enter the user Distinguished Name. (Available only when Bind Type is 'Regular'.) |
Password | Enter the password for the user. (Available only when Bind Type is 'Regular'.) |
Test Connectivity |
|
Test Connectivity | Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration. |
Username | Username for the connectivity test. |
Password | Corresponding password. |
Note: FortiDDoS GUI may become unresponsive if any of the above configuration values (LDAP Server Configuration or Test Connectivity) are incorrect. In this case, refresh the browser to reconnect to the GUI. |
To configure LDAP authentication using the CLI:
config system authentication LDAP set state enable set server 172.30.153.101 set port <usually 389> set cnid uid set dn ou=users,dc=fddos,dc=com set bind-type regular set User-DN cn=admin,dc=fddos,dc=com set password <password> |