Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.2.1 Administration Guide
5.2.1
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

LDAP authentication

LDAP authentication

Lightweight Directory Access Protocol (LDAP) authentication is an open, industry-standard application protocol for accessing and maintaining distributed directory information services over an IP network. LDAP provides a central place to store usernames and passwords. This enables many different applications and services to connect to an LDAP server to validate users. This has a major benefit that allows a central place to update and change user passwords.

When LDAP authentication is enabled in FortiEDR, whenever a user attempts to log in to FortiEDR, the system looks for that user name and password in the central directory, instead of within the FortiEDR directory. If the user is not found on the LDAP server, the system checks whether the user is defined locally (under Administration > Users > Local Users).

Before you start firewall configuration, make sure that your FortiEDR deployment includes an on-premise Core that has connectivity to the LDAP server. Details about how to install a FortiEDR on-premise Core can be found in Setting up a FortiEDR Core as a Jumpbox.

To set up LDAP authentication in FortiEDR:
  1. Click the LDAP AUTHENTICATION button.

    The following window displays:

  2. Fill in the following fields:

    Field

    Definition

    LDAP EnabledCheck this checkbox to enable LDAP authentication in FortiEDR.
    JumpBoxSelect the FortiEDR Core to communicate with the LDAP server. Only FortiEDR Cores configured with JumpBox functionality appear in the list. If no such core exists in the system, the list is empty and FortiEDR displays a warning message.
    Directory TypeSpecify the type of central directory in use. FortiEDR supports Active Directory and OpenLDAP. The default is Active Directory.
    Server HostSpecify the IP address of your LDAP server.
    Security LevelSpecify the protocol to be used for the secured connection: TLS, SSL, or None.
    Server PortThis value is dependent on the security protocol that was selected.

    Bind User DN/Bind Password

    Specify the user and password for the authentication of FortiEDR in the Central Directory.

    Role/Group mapping

    Specify the base DN and define group/role mapping and permissions of the group:

    1. In Base DN, specify the location in the Central Directory hierarchy where the Groups that are used for permission mapping can be found. For example, the DN for the root of the domain should always work, but results in low performance.
    2. Click Add group.
    3. Define group/role mapping and permissions of the group:

      1. In the Group field, specify the name of the group, as it is defined in your central directory (Active Directory or OpenLDAP), that is to be granted FortiEDR permissions. You can specify multiple groups in this field by separating them with commas. For example, group_name1, group_name2.
      2. Under Role, select a role from the list. See Users for more information about the roles.
      3. Under Advanced, enable any additional privileges for the group. Some options are role-dependent.
    4. Click Add group and repeat step 2 for each role you want to map to a group or multiple groups.

    For example:

    To give the user John Admin permissions in FortiEDR (for both the FortiEDR application and the RESTful APIs), assign John to a FortiEDRUsers group that is defined in your Central Directory:

    1. Specify FortiEDRUsers under Group.
    2. Select Admin under Role.
    3. Check the Rest API checkbox under Advanced.

    During authentication, FortiEDR determines the relevant role for the user John by checking that the Central Directory exists and that the password used in the FortiEDR login page matches the password in the Central Directory. If both exist and are correct, then FortiEDR checks the FortiEDRUsers group to which John is assigned and in this case, and matches the user role permissions.

  3. If users must use two-factor authentication to log in, check the Require two-factor authentication for LDAP logins checkbox. For more details about two-factor login, see the Two-factor Authentication section in Two-factor authentication.
    Note

    Click the Reset 2FA Token button to reset the two-factor authentication token for a specific user. This process works in the same way as described in Resetting a user password.

  4. Click Save.
    Note

    Users in Active Directory must not have a backslash (\) in the user name, in order for the name be supported by the FortiEDR Console. In some cases in Active Directory, a backslash is added when there is a space between a user’s first and last names. For example, CN=Yell\,.

Previous
Next

LDAP authentication

Lightweight Directory Access Protocol (LDAP) authentication is an open, industry-standard application protocol for accessing and maintaining distributed directory information services over an IP network. LDAP provides a central place to store usernames and passwords. This enables many different applications and services to connect to an LDAP server to validate users. This has a major benefit that allows a central place to update and change user passwords.

When LDAP authentication is enabled in FortiEDR, whenever a user attempts to log in to FortiEDR, the system looks for that user name and password in the central directory, instead of within the FortiEDR directory. If the user is not found on the LDAP server, the system checks whether the user is defined locally (under Administration > Users > Local Users).

Before you start firewall configuration, make sure that your FortiEDR deployment includes an on-premise Core that has connectivity to the LDAP server. Details about how to install a FortiEDR on-premise Core can be found in Setting up a FortiEDR Core as a Jumpbox.

To set up LDAP authentication in FortiEDR:
  1. Click the LDAP AUTHENTICATION button.

    The following window displays:

  2. Fill in the following fields:

    Field

    Definition

    LDAP EnabledCheck this checkbox to enable LDAP authentication in FortiEDR.
    JumpBoxSelect the FortiEDR Core to communicate with the LDAP server. Only FortiEDR Cores configured with JumpBox functionality appear in the list. If no such core exists in the system, the list is empty and FortiEDR displays a warning message.
    Directory TypeSpecify the type of central directory in use. FortiEDR supports Active Directory and OpenLDAP. The default is Active Directory.
    Server HostSpecify the IP address of your LDAP server.
    Security LevelSpecify the protocol to be used for the secured connection: TLS, SSL, or None.
    Server PortThis value is dependent on the security protocol that was selected.

    Bind User DN/Bind Password

    Specify the user and password for the authentication of FortiEDR in the Central Directory.

    Role/Group mapping

    Specify the base DN and define group/role mapping and permissions of the group:

    1. In Base DN, specify the location in the Central Directory hierarchy where the Groups that are used for permission mapping can be found. For example, the DN for the root of the domain should always work, but results in low performance.
    2. Click Add group.
    3. Define group/role mapping and permissions of the group:

      1. In the Group field, specify the name of the group, as it is defined in your central directory (Active Directory or OpenLDAP), that is to be granted FortiEDR permissions. You can specify multiple groups in this field by separating them with commas. For example, group_name1, group_name2.
      2. Under Role, select a role from the list. See Users for more information about the roles.
      3. Under Advanced, enable any additional privileges for the group. Some options are role-dependent.
    4. Click Add group and repeat step 2 for each role you want to map to a group or multiple groups.

    For example:

    To give the user John Admin permissions in FortiEDR (for both the FortiEDR application and the RESTful APIs), assign John to a FortiEDRUsers group that is defined in your Central Directory:

    1. Specify FortiEDRUsers under Group.
    2. Select Admin under Role.
    3. Check the Rest API checkbox under Advanced.

    During authentication, FortiEDR determines the relevant role for the user John by checking that the Central Directory exists and that the password used in the FortiEDR login page matches the password in the Central Directory. If both exist and are correct, then FortiEDR checks the FortiEDRUsers group to which John is assigned and in this case, and matches the user role permissions.

  3. If users must use two-factor authentication to log in, check the Require two-factor authentication for LDAP logins checkbox. For more details about two-factor login, see the Two-factor Authentication section in Two-factor authentication.
    Note

    Click the Reset 2FA Token button to reset the two-factor authentication token for a specific user. This process works in the same way as described in Resetting a user password.

  4. Click Save.
    Note

    Users in Active Directory must not have a backslash (\) in the user name, in order for the name be supported by the FortiEDR Console. In some cases in Active Directory, a backslash is added when there is a space between a user’s first and last names. For example, CN=Yell\,.

Previous
Next