Fortinet black logo

Handbook

6.5.0
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Configuring LDAP authentication

Configuring LDAP authentication

You can configure administrator authentication against a Lightweight Directory Access Protocol (LDAP) server.

After you have completed the LDAP server configuration and enabled it, you can select it when you create an administrator user on the System > Admin > Administrators page. When LDAP is selected, no local password option is available. You can also specify the trusted host list and Admin (access) profile for that user. For more details about creating a user profile, see here.

FortiDDoS supports LDAPS and STARTTLS with an appropriate (non-default) security certificate.

Note 1: Any access profile (read-only, read-write or none combinations) is usable for GUI users. CLI users must have “super_admin_prof” Profile or they will be rejected.

Note 2: A local username is required for GUI and CLI access. Anyone attempting to access the system without a local username, but valid LDAP credentials, will be refused via CLI. An anomaly in the GUI code will allow non-local valid users access to the GUI but pages will be empty of any configuration information and there will be no write access.

Once LDAP is enabled, a series of checks is performed locally and at the LDAP server level. The diagram below illustrates the LDAP authentication flow.

The FortiDDoS-F does not support Two Factor Authentication (2FA) for LDAP.
Before you begin:
  • You must have Read-Write permission for System settings.
  • You must work with your LDAP administrator to determine an appropriate DN for FortiDDoS access. The LDAP administrator might need to provision a special group.
To configure an LDAP server:
  1. Go to System > Authentication > LDAP.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Note: Using the Test Connectivity button with incorrectly-configured LDAP settings will result in a long period without a response. Configure LDAP carefully.


LDAP server configuration page

LDAP configuration guidelines

Settings Guidelines
Status Enable/disable LDAP Authentication. This must be enabled to configure the LDAP Server Configuration settings.
LDAP Server Name/IP IP address of the LDAP server.
Port LDAP port. Default is TCP 389 for LDAP and STARTTLS, and TCP 636 for LDAPS.
Note: FortiDDoS does not support CLDAP over UDP.
Common Name Identifier Common name (cn) attribute for the LDAP record.
For example: cn or uid.
Distinguished Name Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example:
cn=John%20Doe,dc=example,dc=com

Most likely, you must work with your LDAP administrator to know the appropriate DN to use for FortiDDoS access. The LDAP administrator might need to provision a special group.
Bind Type Select the Bind Type:
  • Simple — bind without user search. It can be used only if all the users belong to the same 'branch'.
  • Anonymous — bind with user search. It can be used when users are in different 'branches' and only if the server allows 'anonymous search'.
  • Regular — bind with user search. It can be used when users are in different 'branches' and the server does not allow 'anonymous search'.
User DN Enter the user Distinguished Name. (Available only when Bind Type is 'Regular'.)
Password Enter the password for the user. (Available only when Bind Type is 'Regular'.)

Secure Connection

Select the security type:

  • Disable — no security.
  • LDAPS — encrypted.
  • STARTTLS — encrypted.

LDAP over SSL (LDAPS) and StartTLS are used to encrypt LDAP messages in the authentication process. LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. STARTTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection.

CA Profile

A non-default certificate must be available to use LDAPS or STARTTLS.

Test Connectivity

Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration.
Username Username for the connectivity test.
Password Corresponding password.
Note: FortiDDoS GUI may become unresponsive if any of the above configuration values (LDAP Server Configuration or Test Connectivity) are incorrect. In this case, refresh the browser to reconnect to the GUI.
To configure LDAP authentication using the CLI: 

config system authentication LDAP
  set state enable
  set server 172.30.153.101
  set port <usually 389>
  set cnid uid
  set dn ou=users,dc=fddos,dc=com
  set bind-type regular
  set User-DN cn=admin,dc=fddos,dc=com
  set password <password>
  set secure {disable | ldaps | starttls}
  set ca-profile <datasource>
Previous
Next

Configuring LDAP authentication

You can configure administrator authentication against a Lightweight Directory Access Protocol (LDAP) server.

After you have completed the LDAP server configuration and enabled it, you can select it when you create an administrator user on the System > Admin > Administrators page. When LDAP is selected, no local password option is available. You can also specify the trusted host list and Admin (access) profile for that user. For more details about creating a user profile, see here.

FortiDDoS supports LDAPS and STARTTLS with an appropriate (non-default) security certificate.

Note 1: Any access profile (read-only, read-write or none combinations) is usable for GUI users. CLI users must have “super_admin_prof” Profile or they will be rejected.

Note 2: A local username is required for GUI and CLI access. Anyone attempting to access the system without a local username, but valid LDAP credentials, will be refused via CLI. An anomaly in the GUI code will allow non-local valid users access to the GUI but pages will be empty of any configuration information and there will be no write access.

Once LDAP is enabled, a series of checks is performed locally and at the LDAP server level. The diagram below illustrates the LDAP authentication flow.

The FortiDDoS-F does not support Two Factor Authentication (2FA) for LDAP.
Before you begin:
  • You must have Read-Write permission for System settings.
  • You must work with your LDAP administrator to determine an appropriate DN for FortiDDoS access. The LDAP administrator might need to provision a special group.
To configure an LDAP server:
  1. Go to System > Authentication > LDAP.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Note: Using the Test Connectivity button with incorrectly-configured LDAP settings will result in a long period without a response. Configure LDAP carefully.


LDAP server configuration page

LDAP configuration guidelines

Settings Guidelines
Status Enable/disable LDAP Authentication. This must be enabled to configure the LDAP Server Configuration settings.
LDAP Server Name/IP IP address of the LDAP server.
Port LDAP port. Default is TCP 389 for LDAP and STARTTLS, and TCP 636 for LDAPS.
Note: FortiDDoS does not support CLDAP over UDP.
Common Name Identifier Common name (cn) attribute for the LDAP record.
For example: cn or uid.
Distinguished Name Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example:
cn=John%20Doe,dc=example,dc=com

Most likely, you must work with your LDAP administrator to know the appropriate DN to use for FortiDDoS access. The LDAP administrator might need to provision a special group.
Bind Type Select the Bind Type:
  • Simple — bind without user search. It can be used only if all the users belong to the same 'branch'.
  • Anonymous — bind with user search. It can be used when users are in different 'branches' and only if the server allows 'anonymous search'.
  • Regular — bind with user search. It can be used when users are in different 'branches' and the server does not allow 'anonymous search'.
User DN Enter the user Distinguished Name. (Available only when Bind Type is 'Regular'.)
Password Enter the password for the user. (Available only when Bind Type is 'Regular'.)

Secure Connection

Select the security type:

  • Disable — no security.
  • LDAPS — encrypted.
  • STARTTLS — encrypted.

LDAP over SSL (LDAPS) and StartTLS are used to encrypt LDAP messages in the authentication process. LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. STARTTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection.

CA Profile

A non-default certificate must be available to use LDAPS or STARTTLS.

Test Connectivity

Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration.
Username Username for the connectivity test.
Password Corresponding password.
Note: FortiDDoS GUI may become unresponsive if any of the above configuration values (LDAP Server Configuration or Test Connectivity) are incorrect. In this case, refresh the browser to reconnect to the GUI.
To configure LDAP authentication using the CLI: 

config system authentication LDAP
  set state enable
  set server 172.30.153.101
  set port <usually 389>
  set cnid uid
  set dn ou=users,dc=fddos,dc=com
  set bind-type regular
  set User-DN cn=admin,dc=fddos,dc=com
  set password <password>
  set secure {disable | ldaps | starttls}
  set ca-profile <datasource>
Previous
Next