Configuring wildcard admin accounts
To avoid setting up individual admin accounts in FortiOS, you can configure an admin account with the wildcard option enabled, allowing multiple remote admin accounts to match one local admin account. This way, multiple LDAP admin accounts can use one FortiOS admin account.
Benefits include:
- Fast configuration of the FortiOS admin account to work with your LDAP network, saving effort and avoiding potential errors incurred when setting up multiple admin accounts
- Reduced ongoing maintenance. As long as LDAP users belong to the same group and you do not modify the wildcard admin account in FortiOS, you do not need to configure changes on the LDAP accounts. If you add or remove a user from the LDAP group, you do not need to perform changes in FortiOS.
Potential issues include:
- Multiple users may be logged in to the same account simultaneously. This may cause issues if both users make changes simultaneously.
- Security is reduced since multiple users have login access to the same account, as opposed to an account for each user.
Wildcard admin configuration also applies to RADIUS. If configuring for RADIUS, configure the RADIUS server and RADIUS user group instead of LDAP. When using the GUI, wildcard admin is the only remote admin account that does not require you to enter a password on account creation. That password is normally used when the remote authentication server is unavailable during authentication.
This example uses default values where possible. If a specific value is not mentioned, the example sets it to its default value.
You can configure an admin account in Active Directory for LDAP authentication to allow an admin to perform lookups and reset passwords without being a member of the Account Operators or Domain Administrators built-in groups. See Configuring least privileges for LDAP admin account authentication in Active Directory. |
To configure the LDAP server:
The important parts of this configuration are the username and group lines. The username is the domain administrator account. The group binding allows only the GRP group access.
This example uses an example domain name. Configure as appropriate for your own network.
config user ldap
edit "ldap_server"
set server "192.168.201.3"
set cnid "sAMAccountName"
set dn "DC=example,DC=com,DC=au"
set type regular
set username "CN=Administrator,CN=Users,DC=example,DC=COM”
set password *
set group-member-check group-object
set group-object-filter (&(objectcategory=group)member="CN=GRP,OU=training,DC=example,DC=COM"))
next
end
To configure the user group and add the LDAP server:
config user group
edit "ldap_grp"
set member "ldap_server"
config match
edit 1
set server-name "ldap_server"
set group-name "CN=GRP,OU=training,DC=example,DC=COM"
next
end
next
end
end
end
end
To configure the wildcard admin account:
config system admin
edit "test"
set remote-auth enable
set accprofile "super_admin"
set wildcard enable
set remote-group "ldap_grp"
next
end