Configuring wildcard admin accounts

To avoid setting up individual admin accounts in FortiOS, you can configure an admin account with the wildcard option enabled, allowing multiple remote admin accounts to match one local admin account. This way, multiple LDAP admin accounts can use one FortiOS admin account.

You can create one global wildcard system admin account or one wildcard system admin account for each VDOM but not both.

Benefits include:

• Fast configuration of the FortiOS admin account to work with your LDAP network, saving effort and avoiding potential errors incurred when setting up multiple admin accounts

• Reduced ongoing maintenance. As long as LDAP users belong to the same group and you do not modify the wildcard admin account in FortiOS, you do not need to configure changes on the LDAP accounts. If you add or remove a user from the LDAP group, you do not need to perform changes in FortiOS.

Potential issues include:

• Multiple users may be logged in to the same account simultaneously. This may cause issues if both users make changes simultaneously.

• Security is reduced since multiple users have login access to the same account, as opposed to an account for each user.

Wildcard admin configuration also applies to RADIUS. If configuring for RADIUS, configure the RADIUS server and RADIUS user group instead of LDAP. When using the GUI, wildcard admin is the only remote admin account that does not require you to enter a password on account creation. That password is normally used when the remote authentication server is unavailable during authentication.

This example uses default values where possible. If a specific value is not mentioned, the example sets it to its default value.

When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials. To secure this connection, use LDAPS on both the Active Directory server and FortiGate. See Configuring an LDAP server and Configuring client certificate authentication on the LDAP server. To secure RADIUS connections, consider using RADSEC over TLS. See Configuring a RADSEC client.

You can configure an admin account in Active Directory for LDAP authentication to allow an admin to perform lookups and reset passwords without being a member of the Account Operators or Domain Administrators built-in groups. See Configuring least privileges for LDAP admin account authentication in Active Directory.

To configure the LDAP server:

The important parts of this configuration are the username and group lines. The username is the domain administrator account. The group binding allows only the GRP group access.

This example uses an example domain name. Configure as appropriate for your own network.

config user ldap
    edit "ldap_server"
        set server "192.168.201.3"
        set cnid "sAMAccountName"
        set dn "DC=example,DC=com,DC=au"
        set type regular
        set username "CN=Administrator,CN=Users,DC=example,DC=COM”
        set password *
        set group-member-check group-object
        set group-object-filter (&(objectcategory=group)member="CN=GRP,OU=training,DC=example,DC=COM"))
    next
end

To configure the user group and add the LDAP server:

config user group
    edit "ldap_grp"
        set member "ldap_server"
            config match
                edit 1
                    set server-name "ldap_server"
                    set group-name "CN=GRP,OU=training,DC=example,DC=COM"
                next
            end
        end
    end
end

To configure the wildcard admin account:

config system admin
    edit "test"
        set remote-auth enable
        set accprofile "super_admin"
        set wildcard enable
        set remote-group "ldap_grp"
    next
end