LDAP connector to get more user information from user login IDs 6.2.1
This features collects additional information about authenticated FSSO users, and makes that information available on multiple GUI pages, including:
- FortiView > Sources
- FortiView > Policies
- Log & Report > Forward Traffic
- User & Device > Device Inventory
- Monitor > Firewall User Monitor
This features requires that FSSO is configured on the FortiGate. To view the user information on pages other than Firewall monitor, Device Detection must be enabled on the interface.
The user-info-server
variable in user FSSO configuration is used to select the LDAP server that is used for retrieving user information. After a valid FSSO user is authenticated, the FortiGate will try to get additional user information from the LDAP server.
To configure the user:
- Configure the LDAP user:
config user ldap edit "AD-LDAP" set server "10.1.100.131" set server-identity-check disable set cnid "cn" set dn "dc=fortinet-fsso,dc=com" set type regular set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com" set password ********** set secure ldaps set ca-cert "CA_Cert_1" set port 636 next end
- Configure the FSSO user:
config user fsso edit "ad-214" set server "10.1.100.142" set password ********** set user-info-server "AD-LDAP" next end
To verify that information is being collected per user:
# diagnose wad user info 20 TEST1 'username' = 'TEST1' 'sourceip' = '10.1.100.188' 'sourceip' = '32.1.0.0' 'sourceip' = '10.1.100.185' 'vdom' = 'root' 'cn' = 'test1' 'givenName' = 'test1' 'sn' = 'test101' 'userPrincipalName' = 'test1@Fortinet-FSSO.COM' 'telephoneNumber' = '604-123456' 'mail' = 'test1@fortinet-fsso.com' 'thumbnailPhoto' = '/tmp/wad/user_info/ff1bffff376dff29ffff24ff65ff42ffff09292d' 'company' = 'Fortinet' 'department' = 'Release QA' 'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'streetAddress' = 'One Backend Street 1901' 'l' = 'Burnaby' 'st' = 'BC' 'postalCode' = '4711' 'co' = 'Canada' 'accountExpires' = '9223372036854775807' total 1, count 1