LDAP Servers
The FortiSandbox system supports remote authentication of administrators using LDAP servers. To use this feature, configure the server entries in the FortiSandbox unit for each authentication server in your network.
If you have configured LDAP support and require a user to authenticate using an LDAP server, the FortiSandbox unit contacts the LDAP server for authentication. To authenticate with the FortiSandbox unit, the user enters a user name and password. The FortiSandbox unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the FortiSandbox unit accepts the connection. If the LDAP server cannot authenticate the user, the FortiSandbox unit refuses the connection.
The following options are available:
Create New |
Add an LDAP server. |
Edit |
Edit the selected LDAP server. |
Delete |
Delete the selected LDAP server. |
The following information is displayed:
Name |
LDAP server name. |
Address |
LDAP server IP address. |
Common Name |
LDAP common name. |
Distinguished Name |
LDAP distinguished name. |
Bind Type |
LDAP bind type. |
Connection Type |
LDAP connection type. |
To create a new LDAP server:
- Go to System > LDAP Servers.
- Click Create New.
- Configure the following settings.
Name
LDAP server name. Use a name unique to FortiSandbox.
Server Name/IP
LDAP server IP address or fully qualified domain name.
Port
Port for LDAP traffic. LDAP default port is 389. LDAPS default port is 636.
Common Name Identifier
LDAP common name. Most LDAP servers use
cn
. Some servers use other common name identifiers such asuid
.Distinguished Name
LDAP distinguished name used to look up entries on the LDAP server. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. For example, you can follow the format
CN=Users,DC=Example,DC=Com
.Bind Type
LDAP bind type for authentication, including:
- Simple
- Anonymous
- Regular
Username
If Bind Type is Regular, enter the user distinguished name.
Password
If Bind Type is Regular, enter the password.
Secure Connection
LDAP connection type.
Protocol
If Secure Connection is enabled, select LDAPS or STARTTLS.
CA Certificate
If Secure Connection is enabled, select the CA certificate.
Advanced Options
Expand to configure advanced options.
Attributes
Attributes such as member, uniquemember, or memberuid.
Connect timeout
Connection timeout in milliseconds. Default is 500.
Filter
Filter in the format such as
(&(objectClass=*))
.Group
Name of the LDAP group. For example, you can follow the format
CN=Group1,DC=Example,DC=Com
.Memberof-attr
Specify the value for this attribute. This value must match the attribute of the group in LDAP server. All users of the LDAP group with the attribute matching the memberof-attr inherit the administrative permissions of the group.
Profile-attr
Specify the attribute for this profile.
Secondary-server
Specify a secondary server for failover in case the primary LDAP server fails. The Distinguished Name must be the same.
Tertiary-server
Specify a tertiary server for failover in case the primary and secondary servers fail. The Distinguished Name must be the same.
- (Optional) Test the connection.
- Click Test Login to verify the account can login successfully.
- If the log in fails, click Test Connectivity to check the connection.
- Click OK.