Fortinet black logo

New Features

Synchronizing LDAP Active Directory users to FortiToken Cloud using the group filter 7.0.6

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:80565
Download PDF

Synchronizing LDAP Active Directory users to FortiToken Cloud using the group filter 7.0.6

To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled in the user ldap object definition in FortiOS. By default, FortiOS retrieves all Active Directory users in the LDAP server with a valid email or mobile number (mail and mobile attributes), and synchronizes the users to FortiToken Cloud. Users are then created on FortiToken Cloud and activation is sent out using email or SMS.

Group filters can be used to reduce the number of the Active Directory users returned, and only synchronize the users who meet the group filter criteria.

Two-factor authentication for LDAP group filtering can only be configured in the CLI:

config user ldap
    edit <name>
        set dn <string> 
        set two-factor {disable | fortitoken-cloud}
        set group-filter <string> 
    next
end

dn <string>

Set the distinguished name used to look up entries on the LDAP server. The search for users and groups starts here based on what is defined.

two-factor {disable | fortitoken-cloud}

Enable/disable two-factor authentication:

  • disable: disable two-factor authentication
  • fortitoken-cloud: use the FortiToken Cloud service

group-filter <string>

Set the filter used for group matching.

Note

In FortiOS 7.2.1 and later, the group-filter setting is replaced with two-factor-filter.

Group filter examples

In the following examples, a user ldap object is defined to connect to an Active Directory on a Windows server. The search will begin in the root of the fortinet-fsso.com directory.

To configure a default LDAP server configuration without a group filter:
config user ldap
    edit "ad-ldap-auth"
        set server <ip_address>
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com" 
        set type regular
        set two-factor fortitoken-cloud
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password **********
    next
end

When a group filter is not used, all users in the Active Directory with a valid email or mobile number will be retrieved.

Example 1: specific users and email address with wildcard

With this group-filter, users under fortinet-fsso.com that have oliver* in their username and *fortinet* in their email will be matched.

config user ldap
    edit "ad-ldap-auth"
        set group-filter "(&(SAMAccountName=oliver*)(mail=*fortinet*))"
    next
end

Example 2: all users with matching email

With this group-filter, all users under fortinet-fsso.com with *fortinet* in their email will be matched.

config user ldap
    edit "ad-ldap-auth"
        set group-filter "(&(SAMAccountName=*)(mail=*fortinet*))"
    next
end

Example 3: all users in a group

With this group-filter, all users within the group fortinet-fsso.com > Testing > ftc-users will be matched.

config user ldap
    edit "ad-ldap-auth"
        set group-filter "(&(objectCategory=Person)(sAMAccountName=*)( memberOf=cn=ftc-users,ou=Testing,dc=fortinet-fsso,DC=com))"
    next
end

Example configuration

In this example, Active Directory users are configured to be synchronized to FortiToken Cloud. The same group filter is used from example 1 and searches the Active Directory for users named oliver* with email *fortinet*.

Before configuring the FortiGate:

  1. Gather the information to connect to the Active Directory server through LDAP. Include all necessary fields, such as the server IP, port, CN name identifier, DN for the start of the search, bind type, and username associated with a regular bind.

  2. Consider the users or groups that require two-factor authentication and should be synchronized. If necessary, group the users under the same group in the Active Directory.

  3. If using a group filter, formulate the group-filter string to limit the match. For this example, (&(SAMAccountName=oliver*)(mail=*fortinet*)).

  4. Test the filter by using the FortiOS CLI to perform a quick LDAP search:

    # diagnose test authserver ldap-search <server_ip> 389 "ou=Testing,dc=fortinet-fsso,DC=com" cn Administrator@fortinet-fsso.com PASSWORD 0 '(&(SAMAccountName=oliver*)(mail=*fortinet*))' 2
    
    searching 'ou=Testing,dc=fortinet-fsso,DC=com, cn=cn' on 10.1.100.131:389 for (Administrator@fortinet-fsso.com, PASSWORD), secure(0), filter((&(SAMAccountName=oliver*)(mail=*fortinet*))), flag(0x2), page_no(0)...
    CN=oliver2022,OU=Testing,DC=Fortinet-FSSO,DC=COM (oliver2022, 0 entries)

    The user, oliver2022, was found.

  5. Estimate how many users will be retrieved, and ensure that the FortiToken Cloud account has enough user licenses to support the number of users.

To configure Active Directory users to be synchronized to FortiToken Cloud:
  1. Configure the user LDAP settings:

    config user ldap
        edit "ad-ldap-auth"
            set server "10.1.100.131"
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com" 
            set type regular
            set two-factor fortitoken-cloud
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password **********
            set group-filter "(&(SAMAccountName=oliver*)(mail=*fortinet*))"
        next
    end
  2. In the background, the FortiGate FAS daemon scans the LDAP server for users to be synchronized based on the group filter pattern, but will not send them to the FortiToken Cloud server yet. Optionally, verify the users that are retrieved from the Active Directory based on the filter:

    # diagnose fortitoken-cloud debug enable
    # diagnose debug enable
    # diagnose fortitoken-cloud sync
    ...  
    fas_sync_ftc[2788]: Sending packet to FTC server: "IP-of-FTC-server" Port: 8686(length:444)
    fas_sync_ftc[2792]: FTC User Sync Packet(length:444):
    POST /api/v1/user_sync HTTP/1.1
    Host: ftc.fortinet.com
    Connection: keep-alive
    User-Agent: FortiGate-401E v7.0.6,build****
    Content-Type: application/json
    Content-Length: 246
    {"users":[{"username":"oliver2022","vdom":"vdom1","email":"o****@fortinet.com","mobile_number":"XXXXXXXXXXX","user_data":1,"action":"create"}],"sn":"FG4H1E5819900000","cluster_members":[ "FG4H1E5819900000" ],"group_name":"FGT400D","group_id":"0"}
    Reminder: User sync packet not actually sent out because of diagnose purpose!

    As expected, only the user that matches the current filter is returned.

  3. Manually trigger the synchronization process with FortiToken Cloud:

    # execute fortitoken-cloud sync

    The user is added to FortiToken Cloud, and an activation email or SMS message is sent to the user.

  4. In FortiToken Cloud, go to Users to verify that the user was added.

    If the activation email was sent, but user has not downloaded and activated the mobile token yet, a pending symbol appears in the Status column (such as for the admin, test6, and test3 users).

  5. In FortiOS, add the ad-ldap-auth object in a user group. The user group can be used for VPN, firewall authentication, and so on.

    Note

    The ldap user object should not be used in remote LDAP user groups that require group matching because it is not supported.

Synchronizing LDAP Active Directory users to FortiToken Cloud using the group filter 7.0.6

To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled in the user ldap object definition in FortiOS. By default, FortiOS retrieves all Active Directory users in the LDAP server with a valid email or mobile number (mail and mobile attributes), and synchronizes the users to FortiToken Cloud. Users are then created on FortiToken Cloud and activation is sent out using email or SMS.

Group filters can be used to reduce the number of the Active Directory users returned, and only synchronize the users who meet the group filter criteria.

Two-factor authentication for LDAP group filtering can only be configured in the CLI:

config user ldap
    edit <name>
        set dn <string> 
        set two-factor {disable | fortitoken-cloud}
        set group-filter <string> 
    next
end

dn <string>

Set the distinguished name used to look up entries on the LDAP server. The search for users and groups starts here based on what is defined.

two-factor {disable | fortitoken-cloud}

Enable/disable two-factor authentication:

  • disable: disable two-factor authentication
  • fortitoken-cloud: use the FortiToken Cloud service

group-filter <string>

Set the filter used for group matching.

Note

In FortiOS 7.2.1 and later, the group-filter setting is replaced with two-factor-filter.

Group filter examples

In the following examples, a user ldap object is defined to connect to an Active Directory on a Windows server. The search will begin in the root of the fortinet-fsso.com directory.

To configure a default LDAP server configuration without a group filter:
config user ldap
    edit "ad-ldap-auth"
        set server <ip_address>
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com" 
        set type regular
        set two-factor fortitoken-cloud
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password **********
    next
end

When a group filter is not used, all users in the Active Directory with a valid email or mobile number will be retrieved.

Example 1: specific users and email address with wildcard

With this group-filter, users under fortinet-fsso.com that have oliver* in their username and *fortinet* in their email will be matched.

config user ldap
    edit "ad-ldap-auth"
        set group-filter "(&(SAMAccountName=oliver*)(mail=*fortinet*))"
    next
end

Example 2: all users with matching email

With this group-filter, all users under fortinet-fsso.com with *fortinet* in their email will be matched.

config user ldap
    edit "ad-ldap-auth"
        set group-filter "(&(SAMAccountName=*)(mail=*fortinet*))"
    next
end

Example 3: all users in a group

With this group-filter, all users within the group fortinet-fsso.com > Testing > ftc-users will be matched.

config user ldap
    edit "ad-ldap-auth"
        set group-filter "(&(objectCategory=Person)(sAMAccountName=*)( memberOf=cn=ftc-users,ou=Testing,dc=fortinet-fsso,DC=com))"
    next
end

Example configuration

In this example, Active Directory users are configured to be synchronized to FortiToken Cloud. The same group filter is used from example 1 and searches the Active Directory for users named oliver* with email *fortinet*.

Before configuring the FortiGate:

  1. Gather the information to connect to the Active Directory server through LDAP. Include all necessary fields, such as the server IP, port, CN name identifier, DN for the start of the search, bind type, and username associated with a regular bind.

  2. Consider the users or groups that require two-factor authentication and should be synchronized. If necessary, group the users under the same group in the Active Directory.

  3. If using a group filter, formulate the group-filter string to limit the match. For this example, (&(SAMAccountName=oliver*)(mail=*fortinet*)).

  4. Test the filter by using the FortiOS CLI to perform a quick LDAP search:

    # diagnose test authserver ldap-search <server_ip> 389 "ou=Testing,dc=fortinet-fsso,DC=com" cn Administrator@fortinet-fsso.com PASSWORD 0 '(&(SAMAccountName=oliver*)(mail=*fortinet*))' 2
    
    searching 'ou=Testing,dc=fortinet-fsso,DC=com, cn=cn' on 10.1.100.131:389 for (Administrator@fortinet-fsso.com, PASSWORD), secure(0), filter((&(SAMAccountName=oliver*)(mail=*fortinet*))), flag(0x2), page_no(0)...
    CN=oliver2022,OU=Testing,DC=Fortinet-FSSO,DC=COM (oliver2022, 0 entries)

    The user, oliver2022, was found.

  5. Estimate how many users will be retrieved, and ensure that the FortiToken Cloud account has enough user licenses to support the number of users.

To configure Active Directory users to be synchronized to FortiToken Cloud:
  1. Configure the user LDAP settings:

    config user ldap
        edit "ad-ldap-auth"
            set server "10.1.100.131"
            set cnid "cn"
            set dn "dc=fortinet-fsso,dc=com" 
            set type regular
            set two-factor fortitoken-cloud
            set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
            set password **********
            set group-filter "(&(SAMAccountName=oliver*)(mail=*fortinet*))"
        next
    end
  2. In the background, the FortiGate FAS daemon scans the LDAP server for users to be synchronized based on the group filter pattern, but will not send them to the FortiToken Cloud server yet. Optionally, verify the users that are retrieved from the Active Directory based on the filter:

    # diagnose fortitoken-cloud debug enable
    # diagnose debug enable
    # diagnose fortitoken-cloud sync
    ...  
    fas_sync_ftc[2788]: Sending packet to FTC server: "IP-of-FTC-server" Port: 8686(length:444)
    fas_sync_ftc[2792]: FTC User Sync Packet(length:444):
    POST /api/v1/user_sync HTTP/1.1
    Host: ftc.fortinet.com
    Connection: keep-alive
    User-Agent: FortiGate-401E v7.0.6,build****
    Content-Type: application/json
    Content-Length: 246
    {"users":[{"username":"oliver2022","vdom":"vdom1","email":"o****@fortinet.com","mobile_number":"XXXXXXXXXXX","user_data":1,"action":"create"}],"sn":"FG4H1E5819900000","cluster_members":[ "FG4H1E5819900000" ],"group_name":"FGT400D","group_id":"0"}
    Reminder: User sync packet not actually sent out because of diagnose purpose!

    As expected, only the user that matches the current filter is returned.

  3. Manually trigger the synchronization process with FortiToken Cloud:

    # execute fortitoken-cloud sync

    The user is added to FortiToken Cloud, and an activation email or SMS message is sent to the user.

  4. In FortiToken Cloud, go to Users to verify that the user was added.

    If the activation email was sent, but user has not downloaded and activated the mobile token yet, a pending symbol appears in the Status column (such as for the admin, test6, and test3 users).

  5. In FortiOS, add the ad-ldap-auth object in a user group. The user group can be used for VPN, firewall authentication, and so on.

    Note

    The ldap user object should not be used in remote LDAP user groups that require group matching because it is not supported.