Fortinet black logo

Handbook

Home FortiDDoS-F 6.3.2 Handbook

Configuring LDAP authentication

6.3.2
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1
Copy Link
Copy Doc ID 7b437c33-fcc7-11ec-bb32-fa163e15d75b:214475
Download PDF

Configuring LDAP authentication

You can configure administrator authentication against a Lightweight Directory Access Protocol (LDAP) server.

After you have completed the LDAP server configuration and enabled it, you can select it when you create an administrator user on the System > Admin > Administrators page. On that page, you can specify the username but not the password. You can also specify the trusted host list and Admin (access) profile for that user.

Once LDAP is enabled, a series of checks is performed locally and at the LDAP server level. The diagram below illustrates the LDAP authentication flow.

The FortiDDoS-F does not currently support STARTTLS nor Two Factor Authentication (2FA).
Before you begin:
  • You must have Read-Write permission for System settings.
  • You must work with your LDAP administrator to determine an appropriate DN for FortiDDoS access. The LDAP administrator might need to provision a special group.
To configure an LDAP server:
  1. Go to System > Authentication > LDAP.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Note: Using the Test Connectivity button with incorrectly-configured LDAP settings will result in a long period without a response. Configure LDAP carefully.


LDAP server configuration page

LDAP configuration guidelines

Settings Guidelines
Status Enable/disable LDAP Authentication. This must be enabled to configure the LDAP Server Configuration settings.
LDAP Server Name/IP IP address of the LDAP server.
Port LDAP port. Default is TCP 389 for LDAP and STARTTLS, and TCP 636 for LDAPS.
Note: FortiDDoS does not support CLDAP over UDP.
Common Name Identifier Common name (cn) attribute for the LDAP record.
For example: cn or uid.
Distinguished Name Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example:
cn=John%20Doe,dc=example,dc=com

Most likely, you must work with your LDAP administrator to know the appropriate DN to use for FortiDDoS access. The LDAP administrator might need to provision a special group.
Bind Type Select the Bind Type:
  • Simple - bind without user search. It can be used only if all the users belong to the same 'branch'.
  • Anonymous - bind with user search. It can be used when users are in different 'branches' and only if the server allows 'anonymous search'.
  • Regular - bind with user search. It can be used when users are in different 'branches' and the server does not allow 'anonymous search'.
User DN Enter the user Distinguished Name. (Available only when Bind Type is 'Regular'.)
Password Enter the password for the user. (Available only when Bind Type is 'Regular'.)

Test Connectivity

Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration.
Username Username for the connectivity test.
Password Corresponding password.
Note: FortiDDoS GUI may become unresponsive if any of the above configuration values (LDAP Server Configuration or Test Connectivity) are incorrect. In this case, refresh the browser to reconnect to the GUI.
To configure LDAP authentication using the CLI: 

 config system authentication LDAP
  set state enable
  set server 172.30.153.101
  set port <usually 389>
  set cnid uid
  set dn ou=users,dc=fddos,dc=com
  set bind-type regular
  set User-DN cn=admin,dc=fddos,dc=com
  set password <password>
Previous
Next

Configuring LDAP authentication

You can configure administrator authentication against a Lightweight Directory Access Protocol (LDAP) server.

After you have completed the LDAP server configuration and enabled it, you can select it when you create an administrator user on the System > Admin > Administrators page. On that page, you can specify the username but not the password. You can also specify the trusted host list and Admin (access) profile for that user.

Once LDAP is enabled, a series of checks is performed locally and at the LDAP server level. The diagram below illustrates the LDAP authentication flow.

The FortiDDoS-F does not currently support STARTTLS nor Two Factor Authentication (2FA).
Before you begin:
  • You must have Read-Write permission for System settings.
  • You must work with your LDAP administrator to determine an appropriate DN for FortiDDoS access. The LDAP administrator might need to provision a special group.
To configure an LDAP server:
  1. Go to System > Authentication > LDAP.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Note: Using the Test Connectivity button with incorrectly-configured LDAP settings will result in a long period without a response. Configure LDAP carefully.


LDAP server configuration page

LDAP configuration guidelines

Settings Guidelines
Status Enable/disable LDAP Authentication. This must be enabled to configure the LDAP Server Configuration settings.
LDAP Server Name/IP IP address of the LDAP server.
Port LDAP port. Default is TCP 389 for LDAP and STARTTLS, and TCP 636 for LDAPS.
Note: FortiDDoS does not support CLDAP over UDP.
Common Name Identifier Common name (cn) attribute for the LDAP record.
For example: cn or uid.
Distinguished Name Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example:
cn=John%20Doe,dc=example,dc=com

Most likely, you must work with your LDAP administrator to know the appropriate DN to use for FortiDDoS access. The LDAP administrator might need to provision a special group.
Bind Type Select the Bind Type:
  • Simple - bind without user search. It can be used only if all the users belong to the same 'branch'.
  • Anonymous - bind with user search. It can be used when users are in different 'branches' and only if the server allows 'anonymous search'.
  • Regular - bind with user search. It can be used when users are in different 'branches' and the server does not allow 'anonymous search'.
User DN Enter the user Distinguished Name. (Available only when Bind Type is 'Regular'.)
Password Enter the password for the user. (Available only when Bind Type is 'Regular'.)

Test Connectivity

Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration.
Username Username for the connectivity test.
Password Corresponding password.
Note: FortiDDoS GUI may become unresponsive if any of the above configuration values (LDAP Server Configuration or Test Connectivity) are incorrect. In this case, refresh the browser to reconnect to the GUI.
To configure LDAP authentication using the CLI: 

 config system authentication LDAP
  set state enable
  set server 172.30.153.101
  set port <usually 389>
  set cnid uid
  set dn ou=users,dc=fddos,dc=com
  set bind-type regular
  set User-DN cn=admin,dc=fddos,dc=com
  set password <password>
Previous
Next