Synchronize LDAP remote users in wildcard user group from FortiGate
LDAP is commonly used in user management. FortiToken Cloud supports different types of LDAP, including ADLDAP, Open LDAP, etc. In the FortiGate, for example, we can set up the filter to manage a group of users that have the same attributes, such as the same organization, the same department, or the same role.
Group filters can be used to reduce the number of the Active Directory users returned, and only synchronize the users who meet the group filter criteria. Use of LDAP filters for FortiGate and FortiAuthenticator are discussed separately below:
User case
This feature is supported on FortiGate devices running on FOS 7.2.1 and above, or FOS 7.0.7 and above, but is not supported on Series 6.x.x. |
To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication must be enabled in the user LDAP object definition in FortiOS.
Two-factor authentication for LDAP group filtering can only be configured in the CLI:
config user ldap edit <name> set dn <string> set two-factor {disbale | fortitoken-cloud} set group-filter <string> next end
In the following examples, a user ldap
object is defined to connect to an Active Directory on a Windows server. The search will begin in the root of the fortinet-fsso.com directory.
config user ldap edit "ad-ldap-auth" set server <ip_address> set cnid "cn" set dn "dc=fortinet-fsso,dc=com" set type regular set two-factor fortitoken-cloud set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com" set password ********** next end
When a group filter is not used, all users in Active Directory with a valid email or mobile number will be retrieved.
For more syntax and diagnostic details, please check FortiOS Release Notes at Administration Guide | FortiGate / FortiOS 7.0.7 | Fortinet Documentation Library.