Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

LDAP connector to get more user information from user login IDs  6.2.1

This features collects additional information about authenticated FSSO users, and makes that information available on multiple GUI pages, including:

  • FortiView > Sources
  • FortiView > Policies
  • Log & Report > Forward Traffic
  • User & Device > Device Inventory
  • Monitor > Firewall User Monitor

This features requires that FSSO is configured on the FortiGate. To view the user information on pages other than Firewall monitor, Device Detection must be enabled on the interface.

The user-info-server variable in user FSSO configuration is used to select the LDAP server that is used for retrieving user information. After a valid FSSO user is authenticated, the FortiGate will try to get additional user information from the LDAP server.

To configure the user:
  1. Configure the LDAP user:
    config user ldap
        edit "AD-LDAP"
            set server "10.1.100.131"
            set server-identity-check disable
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com"
            set type regular
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password ENC MTAwNIJ4Fk+smJ/CVOuEG2Pjphc5nzumAuRTGjEWiWny1qOB3UYLgYJovcNg1lLkXIFKf9OvrYNSrt4gfdchKGsLbQbruvHxE1MeEdcw+G7IpNsgUWX1Dlc0uwEKsBuZMGptI5scsEzG1Lqe6H2J9F9Dok2cqwEX8MCYmStlDc9z11Rl30KkwCdn6wzCS3t+Xq+DPg==
            set secure ldaps
            set ca-cert "CA_Cert_1"
            set port 636
        next
    end
  2. Configure the FSSO user:
    config user fsso
        edit "ad-214"
            set server "10.1.100.142"
            set password ENC JvwNFvjbXd7T0qsYkO18K8k+DZlHFwDvc7CAv6gHD1nvE7nu8tlaQrWf/tK5o0jDChqkUUG7WmyqeGupJmTFYzDTB4szvVUafR4D0BKVCt8AaULybjoAtJb6NvU2Hu7P0Trnh08p930hleR13r4mBHjLmNEyBZgvB6jz7bOZYtKaQdkCn/9KKrjAteVjWqxcqYCEvw==
            set user-info-server "AD-LDAP"
        next
    end
To verify that information is being collected per user:
# diagnose wad user info 20 TEST1
    'username' = 'TEST1'
    'sourceip' = '10.1.100.188'
    'sourceip' = '32.1.0.0'
    'sourceip' = '10.1.100.185'
    'vdom' = 'root'
    'cn' = 'test1'
    'givenName' = 'test1'
    'sn' = 'test101'
    'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
    'telephoneNumber' = '604-123456'
    'mail' = 'test1@fortinet-fsso.com'
    'thumbnailPhoto' = '/tmp/wad/user_info/ff1bffff376dff29ffff24ff65ff42ffff09292d'
    'company' = 'Fortinet'
    'department' = 'Release QA'
    'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'streetAddress' = 'One Backend Street 1901'
    'l' = 'Burnaby'
    'st' = 'BC'
    'postalCode' = '4711'
    'co' = 'Canada'
    'accountExpires' = '9223372036854775807'
total 1, count 1

LDAP connector to get more user information from user login IDs  6.2.1

This features collects additional information about authenticated FSSO users, and makes that information available on multiple GUI pages, including:

  • FortiView > Sources
  • FortiView > Policies
  • Log & Report > Forward Traffic
  • User & Device > Device Inventory
  • Monitor > Firewall User Monitor

This features requires that FSSO is configured on the FortiGate. To view the user information on pages other than Firewall monitor, Device Detection must be enabled on the interface.

The user-info-server variable in user FSSO configuration is used to select the LDAP server that is used for retrieving user information. After a valid FSSO user is authenticated, the FortiGate will try to get additional user information from the LDAP server.

To configure the user:
  1. Configure the LDAP user:
    config user ldap
        edit "AD-LDAP"
            set server "10.1.100.131"
            set server-identity-check disable
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com"
            set type regular
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password ENC MTAwNIJ4Fk+smJ/CVOuEG2Pjphc5nzumAuRTGjEWiWny1qOB3UYLgYJovcNg1lLkXIFKf9OvrYNSrt4gfdchKGsLbQbruvHxE1MeEdcw+G7IpNsgUWX1Dlc0uwEKsBuZMGptI5scsEzG1Lqe6H2J9F9Dok2cqwEX8MCYmStlDc9z11Rl30KkwCdn6wzCS3t+Xq+DPg==
            set secure ldaps
            set ca-cert "CA_Cert_1"
            set port 636
        next
    end
  2. Configure the FSSO user:
    config user fsso
        edit "ad-214"
            set server "10.1.100.142"
            set password ENC JvwNFvjbXd7T0qsYkO18K8k+DZlHFwDvc7CAv6gHD1nvE7nu8tlaQrWf/tK5o0jDChqkUUG7WmyqeGupJmTFYzDTB4szvVUafR4D0BKVCt8AaULybjoAtJb6NvU2Hu7P0Trnh08p930hleR13r4mBHjLmNEyBZgvB6jz7bOZYtKaQdkCn/9KKrjAteVjWqxcqYCEvw==
            set user-info-server "AD-LDAP"
        next
    end
To verify that information is being collected per user:
# diagnose wad user info 20 TEST1
    'username' = 'TEST1'
    'sourceip' = '10.1.100.188'
    'sourceip' = '32.1.0.0'
    'sourceip' = '10.1.100.185'
    'vdom' = 'root'
    'cn' = 'test1'
    'givenName' = 'test1'
    'sn' = 'test101'
    'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
    'telephoneNumber' = '604-123456'
    'mail' = 'test1@fortinet-fsso.com'
    'thumbnailPhoto' = '/tmp/wad/user_info/ff1bffff376dff29ffff24ff65ff42ffff09292d'
    'company' = 'Fortinet'
    'department' = 'Release QA'
    'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'streetAddress' = 'One Backend Street 1901'
    'l' = 'Burnaby'
    'st' = 'BC'
    'postalCode' = '4711'
    'co' = 'Canada'
    'accountExpires' = '9223372036854775807'
total 1, count 1