LDAP authentication

Lightweight Directory Access Protocol (LDAP) authentication is an open, industry-standard application protocol for accessing and maintaining distributed directory information services over an IP network. LDAP provides a central place to store usernames and passwords. This enables many different applications and services to connect to an LDAP server to validate users. This has a major benefit that allows a central place to update and change user passwords.

When LDAP authentication is enabled in FortiEDR, whenever a user attempts to log in to FortiEDR, the system looks for that user name and password in the central directory, instead of within the FortiEDR directory. If the user is not found on the LDAP server, the system checks whether the user is defined locally (under Admin > User Settings).

Before you start firewall configuration, make sure that your FortiEDR deployment includes an on-premise Core that has connectivity to the LDAP server. Details about how to install a FortiEDR on-premise Core can be found in Setting up the FortiEDR Core.

To set up LDAP authentication in FortiEDR:

1. Click the LDAP AUTHENTICATION button.

   

   The following window displays:

   

2. Fill in the following fields:

   Field	Definition
   LDAP Enabled	Check this checkbox to enable LDAP authentication in FortiEDR.
   On Premise Core	Select the on-premise FortiEDR Core that is to communicate with the LDAP server.
   Directory Type	Specify the type of central directory in use. FortiEDR supports Active Directory and OpenLDAP. The default is Active Directory.
   Server Host	Specify the IP address of your LDAP server.
   Security Level	Specify the protocol to be used for the secured connection: TLS, SSL, or None.
   Port	This value is dependent on the security protocol that was selected.
   Bind DN and Bind Password	Specify the user and password for the authentication of FortiEDR in the Central Directory.
   Base DN	Specify the location in the Central Directory hierarchy where the Groups that are used for permission mapping can be found. For example, the DN for the root of the domain should always work, but results in low performance.
   User Group Name/Local Admin Group Name/Admin Group Name/API Group Name	Specify the name of the group, as it is defined in your central directory (Active Directory or OpenLDAP), that is to be granted FortiEDR permissions. Be sure to specify a name for the User, Local Admin, Admin, and API groups. Each of these groups corresponds to a different role in FortiEDR. For example: To give the user John user permissions in FortiEDR (for both the FortiEDR application and the RESTful APIs), assign John to a FortiEDRUsers group that is defined in your Central Directory. Then, specify FortiEDRUsers in the text box next to User Group Name in the LDAP configuration page of the FortiEDR management UI. Then, during authentication, FortiEDR determines the relevant role for the user John by checking that the Central Directory exists and that the password used in the FortiEDR login page matches the password in the Central Directory. If both exist and are correct, then FortiEDR checks the FortiEDRUsers group to which John is assigned and in this case, and matches the user role permissions.

3. If users must use two-factor authentication to log in, check the Require two-factor authentication for LDAP logins checkbox. For more details about two-factor login, see the Two-factor Authentication section on Two-factor authentication.

   Click the Reset 2FA Token button to reset the two-factor authentication token for a specific user. This process works in the same way as described in Resetting a user password.

4. Click Save.

   Users in Active Directory must not have a backslash (\) in the user name, in order for the name be supported by the FortiEDR Console. In some cases in Active Directory, a backslash is added when there is a space between a user’s first and last names. For example, CN=Yell\,.