Fortinet black logo

New Features

Home FortiGate / FortiOS 6.2.0 New Features

LDAP connector to get more user information from user login IDs  6.2.1

6.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:745228
Download PDF

LDAP connector to get more user information from user login IDs 6.2.1

This features collects additional information about authenticated FSSO users, and makes that information available on multiple GUI pages, including:

  • FortiView > Sources
  • FortiView > Policies
  • Log & Report > Forward Traffic
  • User & Device > Device Inventory
  • Monitor > Firewall User Monitor

This features requires that FSSO is configured on the FortiGate. To view the user information on pages other than Firewall monitor, Device Detection must be enabled on the interface.

The user-info-server variable in user FSSO configuration is used to select the LDAP server that is used for retrieving user information. After a valid FSSO user is authenticated, the FortiGate will try to get additional user information from the LDAP server.

To configure the user:
  1. Configure the LDAP user:
    config user ldap
    edit "AD-LDAP"
        set server "10.1.100.131"
        set server-identity-check disable
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password **********
        set secure ldaps
        set ca-cert "CA_Cert_1"
        set port 636
    next
end
  2. Configure the FSSO user:
    config user fsso
    edit "ad-214"
        set server "10.1.100.142"
        set password **********
        set user-info-server "AD-LDAP"
    next
end
To verify that information is being collected per user:
# diagnose wad user info 20 TEST1
    'username' = 'TEST1'
    'sourceip' = '10.1.100.188'
    'sourceip' = '32.1.0.0'
    'sourceip' = '10.1.100.185'
    'vdom' = 'root'
    'cn' = 'test1'
    'givenName' = 'test1'
    'sn' = 'test101'
    'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
    'telephoneNumber' = '604-123456'
    'mail' = 'test1@fortinet-fsso.com'
    'thumbnailPhoto' = '/tmp/wad/user_info/ff1bffff376dff29ffff24ff65ff42ffff09292d'
    'company' = 'Fortinet'
    'department' = 'Release QA'
    'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'streetAddress' = 'One Backend Street 1901'
    'l' = 'Burnaby'
    'st' = 'BC'
    'postalCode' = '4711'
    'co' = 'Canada'
    'accountExpires' = '9223372036854775807'
total 1, count 1

Previous
Next

LDAP connector to get more user information from user login IDs 6.2.1

This features collects additional information about authenticated FSSO users, and makes that information available on multiple GUI pages, including:

  • FortiView > Sources
  • FortiView > Policies
  • Log & Report > Forward Traffic
  • User & Device > Device Inventory
  • Monitor > Firewall User Monitor

This features requires that FSSO is configured on the FortiGate. To view the user information on pages other than Firewall monitor, Device Detection must be enabled on the interface.

The user-info-server variable in user FSSO configuration is used to select the LDAP server that is used for retrieving user information. After a valid FSSO user is authenticated, the FortiGate will try to get additional user information from the LDAP server.

To configure the user:
  1. Configure the LDAP user:
    config user ldap
    edit "AD-LDAP"
        set server "10.1.100.131"
        set server-identity-check disable
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password **********
        set secure ldaps
        set ca-cert "CA_Cert_1"
        set port 636
    next
end
  2. Configure the FSSO user:
    config user fsso
    edit "ad-214"
        set server "10.1.100.142"
        set password **********
        set user-info-server "AD-LDAP"
    next
end
To verify that information is being collected per user:
# diagnose wad user info 20 TEST1
    'username' = 'TEST1'
    'sourceip' = '10.1.100.188'
    'sourceip' = '32.1.0.0'
    'sourceip' = '10.1.100.185'
    'vdom' = 'root'
    'cn' = 'test1'
    'givenName' = 'test1'
    'sn' = 'test101'
    'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
    'telephoneNumber' = '604-123456'
    'mail' = 'test1@fortinet-fsso.com'
    'thumbnailPhoto' = '/tmp/wad/user_info/ff1bffff376dff29ffff24ff65ff42ffff09292d'
    'company' = 'Fortinet'
    'department' = 'Release QA'
    'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
    'streetAddress' = 'One Backend Street 1901'
    'l' = 'Burnaby'
    'st' = 'BC'
    'postalCode' = '4711'
    'co' = 'Canada'
    'accountExpires' = '9223372036854775807'
total 1, count 1

Previous
Next