Fortinet black logo

Administration Guide

LDAP Servers

Copy Link
Copy Doc ID 2ab0dbd0-4db4-11ea-9384-00505692583a:421447
Download PDF

LDAP Servers

The FortiSandbox system supports remote authentication of administrators using LDAP servers. To use this feature, configure the server entries in the FortiSandbox unit for each authentication server in your network.

If you have configured LDAP support and require a user to authenticate using an LDAP server, the FortiSandbox unit contacts the LDAP server for authentication. To authenticate with the FortiSandbox unit, the user enters a user name and password. The FortiSandbox unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the FortiSandbox unit accepts the connection. If the LDAP server cannot authenticate the user, the FortiSandbox unit refuses the connection.

The following options are available:

Create New

Add an LDAP server.

Edit

Edit the selected LDAP server.

Delete

Delete the selected LDAP server.

The following information is displayed:

Name

LDAP server name.

Address

LDAP server IP address.

Common Name

LDAP common name.

Distinguished Name

LDAP distinguished name.

Bind Type

LDAP bind type.

Connection Type

LDAP connection type.

To create a new LDAP server:
  1. Go to System > LDAP Servers.
  2. Click Create New.

  3. Configure the following settings and then click OK.

    Name

    LDAP server name. Use a name unique to FortiSandbox.

    Server Name/IP

    LDAP server IP address or fully qualified domain name.

    Port

    Port for LDAP traffic. LDAP default port is 389. LDAPS default port is 636.

    Common Name Identifier

    LDAP common name. Most LDAP servers use cn. Some servers use other common name identifiers such as uid.

    Distinguished Name

    LDAP distinguished name used to look up entries on the LDAP server. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. For example, you can follow the format CN=Users,DC=Example,DC=Com.

    Bind Type

    LDAP bind type for authentication, including:

    • Simple
    • Anonymous
    • Regular

    Username

    If Bind Type is Regular, enter the user distinguished name.

    Password

    If Bind Type is Regular, enter the password.

    Secure Connection

    LDAP connection type.

    Protocol

    If Secure Connection is enabled, select LDAPS or STARTTLS.

    CA Certificate

    If Secure Connection is enabled, select the CA certificate.

    Advanced Options

    Expand to configure advanced options.

    Attributes

    Attributes such as member, uniquemember, or memberuid.

    Connect timeout

    Connection timeout in milliseconds. Default is 500.

    Filter

    Filter in the format such as (&(objectClass=*).

    Group

    Name of the LDAP group. For example, you can follow the format CN=Group1,DC=Example,DC=Com.

    Memberof-attr

    Specify the value for this attribute. This value must match the attribute of the group in LDAP server. All users of the LDAP group with the attribute matching the memberof-attr inherit the administrative permissions of the group.

    Profile-attr

    Specify the attribute for this profile.

    Secondary-server

    Specify a secondary server for failover in case the primary LDAP server fails. The Distinguished Name must be the same.

    Tertiary-server

    Specify a tertiary server for failover in case the primary and secondary servers fail. The Distinguished Name must be the same.

LDAP Servers

The FortiSandbox system supports remote authentication of administrators using LDAP servers. To use this feature, configure the server entries in the FortiSandbox unit for each authentication server in your network.

If you have configured LDAP support and require a user to authenticate using an LDAP server, the FortiSandbox unit contacts the LDAP server for authentication. To authenticate with the FortiSandbox unit, the user enters a user name and password. The FortiSandbox unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the FortiSandbox unit accepts the connection. If the LDAP server cannot authenticate the user, the FortiSandbox unit refuses the connection.

The following options are available:

Create New

Add an LDAP server.

Edit

Edit the selected LDAP server.

Delete

Delete the selected LDAP server.

The following information is displayed:

Name

LDAP server name.

Address

LDAP server IP address.

Common Name

LDAP common name.

Distinguished Name

LDAP distinguished name.

Bind Type

LDAP bind type.

Connection Type

LDAP connection type.

To create a new LDAP server:
  1. Go to System > LDAP Servers.
  2. Click Create New.

  3. Configure the following settings and then click OK.

    Name

    LDAP server name. Use a name unique to FortiSandbox.

    Server Name/IP

    LDAP server IP address or fully qualified domain name.

    Port

    Port for LDAP traffic. LDAP default port is 389. LDAPS default port is 636.

    Common Name Identifier

    LDAP common name. Most LDAP servers use cn. Some servers use other common name identifiers such as uid.

    Distinguished Name

    LDAP distinguished name used to look up entries on the LDAP server. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. For example, you can follow the format CN=Users,DC=Example,DC=Com.

    Bind Type

    LDAP bind type for authentication, including:

    • Simple
    • Anonymous
    • Regular

    Username

    If Bind Type is Regular, enter the user distinguished name.

    Password

    If Bind Type is Regular, enter the password.

    Secure Connection

    LDAP connection type.

    Protocol

    If Secure Connection is enabled, select LDAPS or STARTTLS.

    CA Certificate

    If Secure Connection is enabled, select the CA certificate.

    Advanced Options

    Expand to configure advanced options.

    Attributes

    Attributes such as member, uniquemember, or memberuid.

    Connect timeout

    Connection timeout in milliseconds. Default is 500.

    Filter

    Filter in the format such as (&(objectClass=*).

    Group

    Name of the LDAP group. For example, you can follow the format CN=Group1,DC=Example,DC=Com.

    Memberof-attr

    Specify the value for this attribute. This value must match the attribute of the group in LDAP server. All users of the LDAP group with the attribute matching the memberof-attr inherit the administrative permissions of the group.

    Profile-attr

    Specify the attribute for this profile.

    Secondary-server

    Specify a secondary server for failover in case the primary LDAP server fails. The Distinguished Name must be the same.

    Tertiary-server

    Specify a tertiary server for failover in case the primary and secondary servers fail. The Distinguished Name must be the same.