Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.10 Administration Guide
    6.4.10
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configuring an LDAP server

    Configuring an LDAP server

    FortiOS can be configured to use an LDAP server for authentication.

    To configure an LDAP server on the FortiGate:
    1. Go to User & Authentication > LDAP Servers.
    2. Click Create New.
    3. Configure the following:

      Name

      This connection name is for reference within the FortiGate only.

      Server IP/Name

      LDAP server IP address or FQDN resolvable by the FortiGate.

      Server Port

      By default, LDAP uses port 389 and LDAPS uses 636. Use this field to specify a custom port if necessary.

      Common Name Identifier

      Attribute field of the object in LDAP that the FortiGate uses to identify the connecting user. The identifier is case sensitive. Common attributes are:

      • cn (Common Name)
      • sAMAccountName (SAMAccountName)
      • uid (User ID)

      Distinguished Name

      Used to look up user account entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the CN identifier in which you are doing the lookup.

      Enter dc=COMPANY,dc=com to specify the root of the domain to include all objects.

      Enter ou=VPN-Users,dc=COMPANY,dc=com to look up users under a specific organization unit.

      Exchange server

      Enable to specify the exchange server connector to collect information about authenticated users from a corporate exchange server. See Exchange Server connector for more details.

      Bind Type

      Select one of the following options:

      • Simple: bind using simple password authentication using the client name. The LDAP server only looks up against the distinguished name (DN), but does not search on the subtree.
      • Anonymous: bind using an anonymous user, and search starting from the DN and recurse over the subtrees. Many LDAP servers do not allow this.
      • Regular: bind using the username and password provided, and search starting from the DN and recurse over the subtrees.

      Username

      If using regular bind, enter a username with sufficient privileges to access the LDAP server. The following formats are supported:

      • username\administrator
      • administrator@domain
      • cn=administrator,cn=users,dc=domain,dc=com

      Password

      If using regular bind, enter the password associated with the username.

      Secure Connection

      Enable to apply security to the LDAP connection through STARTTLS or LDAPS.

      Protocol

      If Secure Connection is enabled, select STARTTLS or LDAPS. Selecting STARTTLS changes the port to 389 and selecting LDAPS changes the port to 636.

      Certificate

      Enable and select the certificate so the FortiGate will only accept a certificate from the LDAP server that is signed by this CA.

      Server identity check

      Enable to verify the server domain or IP address against the server certificate. This option is enabled by default and it is recommended to leave it enabled for a secure configuration.

      Note

      When specifying a secure connection, there are some considerations for the certificate used by LDAP to secure the connection. The FortiGate checks the certificate presented by the LDAP server for the IP address or FQDN as specified in the Server IP/Name field with the following logic:

      • If there is a Subject Alternative Name (SAN), it will ignore any Common Name (CN) value and look for a match in any of the SAN fields.
      • If there is no SAN, it will check the CN for a match.

    4. Optionally, click Test User Credentials to ensure that the account has sufficient access rights.

    5. Click OK.

      The FortiGate checks the connection and updates the Connection Status.

    Previous
    Next

    Configuring an LDAP server

    Configuring an LDAP server

    FortiOS can be configured to use an LDAP server for authentication.

    To configure an LDAP server on the FortiGate:
    1. Go to User & Authentication > LDAP Servers.
    2. Click Create New.
    3. Configure the following:

      Name

      This connection name is for reference within the FortiGate only.

      Server IP/Name

      LDAP server IP address or FQDN resolvable by the FortiGate.

      Server Port

      By default, LDAP uses port 389 and LDAPS uses 636. Use this field to specify a custom port if necessary.

      Common Name Identifier

      Attribute field of the object in LDAP that the FortiGate uses to identify the connecting user. The identifier is case sensitive. Common attributes are:

      • cn (Common Name)
      • sAMAccountName (SAMAccountName)
      • uid (User ID)

      Distinguished Name

      Used to look up user account entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the CN identifier in which you are doing the lookup.

      Enter dc=COMPANY,dc=com to specify the root of the domain to include all objects.

      Enter ou=VPN-Users,dc=COMPANY,dc=com to look up users under a specific organization unit.

      Exchange server

      Enable to specify the exchange server connector to collect information about authenticated users from a corporate exchange server. See Exchange Server connector for more details.

      Bind Type

      Select one of the following options:

      • Simple: bind using simple password authentication using the client name. The LDAP server only looks up against the distinguished name (DN), but does not search on the subtree.
      • Anonymous: bind using an anonymous user, and search starting from the DN and recurse over the subtrees. Many LDAP servers do not allow this.
      • Regular: bind using the username and password provided, and search starting from the DN and recurse over the subtrees.

      Username

      If using regular bind, enter a username with sufficient privileges to access the LDAP server. The following formats are supported:

      • username\administrator
      • administrator@domain
      • cn=administrator,cn=users,dc=domain,dc=com

      Password

      If using regular bind, enter the password associated with the username.

      Secure Connection

      Enable to apply security to the LDAP connection through STARTTLS or LDAPS.

      Protocol

      If Secure Connection is enabled, select STARTTLS or LDAPS. Selecting STARTTLS changes the port to 389 and selecting LDAPS changes the port to 636.

      Certificate

      Enable and select the certificate so the FortiGate will only accept a certificate from the LDAP server that is signed by this CA.

      Server identity check

      Enable to verify the server domain or IP address against the server certificate. This option is enabled by default and it is recommended to leave it enabled for a secure configuration.

      Note

      When specifying a secure connection, there are some considerations for the certificate used by LDAP to secure the connection. The FortiGate checks the certificate presented by the LDAP server for the IP address or FQDN as specified in the Server IP/Name field with the following logic:

      • If there is a Subject Alternative Name (SAN), it will ignore any Common Name (CN) value and look for a match in any of the SAN fields.
      • If there is no SAN, it will check the CN for a match.

    4. Optionally, click Test User Credentials to ensure that the account has sufficient access rights.

    5. Click OK.

      The FortiGate checks the connection and updates the Connection Status.

    Previous
    Next