Configuring LDAP authentication
You can configure administrator authentication against a Lightweight Directory Access Protocol (LDAP) server.
After you have completed the LDAP server configuration and enabled it, you can select it when you create an administrator user on the System > Admin > Administrators page. When LDAP is selected, no local password option is available. You can also specify the trusted host list and Admin (access) profile for that user. For more details about creating a user profile, see here.
FortiDDoS supports LDAPS and STARTTLS with an appropriate (non-default) security certificate.
Note 1: Any access profile (read-only, read-write or none combinations) is usable for GUI users. CLI users must have “super_admin_prof” Profile or they will be rejected.
Note 2: A local username is required for GUI and CLI access. Anyone attempting to access the system without a local username, but valid LDAP credentials, will be refused via CLI. An anomaly in the GUI code will allow non-local valid users access to the GUI but pages will be empty of any configuration information and there will be no write access.
Once LDAP is enabled, a series of checks is performed locally and at the LDAP server level. The diagram below illustrates the LDAP authentication flow.
The FortiDDoS-F does not support Two Factor Authentication (2FA) for LDAP. |
Before you begin:
- You must have Read-Write permission for System settings.
- You must work with your LDAP administrator to determine an appropriate DN for FortiDDoS access. The LDAP administrator might need to provision a special group.
To configure an LDAP server:
- Go to System > Authentication > LDAP.
- Complete the configuration as described in the table below.
- Save the configuration.
Note: Using the Test Connectivity button with incorrectly-configured LDAP settings will result in a long period without a response. Configure LDAP carefully.
LDAP server configuration page
Settings | Guidelines |
---|---|
Status | Enable/disable LDAP Authentication. This must be enabled to configure the LDAP Server Configuration settings. |
LDAP Server Name/IP | IP address of the LDAP server. |
Port | LDAP port. Default is TCP 389 for LDAP and STARTTLS, and TCP 636 for LDAPS. Note: FortiDDoS does not support CLDAP over UDP. |
Common Name Identifier |
Common name (cn) attribute for the LDAP record. For example: cn or uid . |
Distinguished Name | Distinguished name (dn) attribute for the LDAP record. The dn uniquely identifies a user in the LDAP directory. For example: cn=John%20Doe,dc=example,dc=com Most likely, you must work with your LDAP administrator to know the appropriate DN to use for FortiDDoS access. The LDAP administrator might need to provision a special group. |
Bind Type |
Select the Bind Type:
|
User DN | Enter the user Distinguished Name. (Available only when Bind Type is 'Regular'.) |
Password | Enter the password for the user. (Available only when Bind Type is 'Regular'.) |
Secure Connection |
Select the security type:
LDAP over SSL (LDAPS) and StartTLS are used to encrypt LDAP messages in the authentication process. LDAPS is a mechanism for establishing an encrypted SSL/TLS connection for LDAP. It requires the use of a separate port, commonly 636. STARTTLS extended operation is LDAPv3 standard mechanism for enabling TLS (SSL) data confidentiality protection. The mechanism uses an LDAPv3 extended operation to establish an encrypted SSL/TLS connection within an already established LDAP connection. |
CA Profile |
A non-default certificate must be available to use LDAPS or STARTTLS. |
Test Connectivity |
|
Test Connectivity | Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration. |
Username | Username for the connectivity test. |
Password | Corresponding password. |
Note: FortiDDoS GUI may become unresponsive if any of the above configuration values (LDAP Server Configuration or Test Connectivity) are incorrect. In this case, refresh the browser to reconnect to the GUI. |
To configure LDAP authentication using the CLI:
config system authentication LDAP set state enable set server 172.30.153.101 set port <usually 389> set cnid uid set dn ou=users,dc=fddos,dc=com set bind-type regular set User-DN cn=admin,dc=fddos,dc=com set password <password> set secure {disable | ldaps | starttls} set ca-profile <datasource> |