Fortinet black logo

Version:

23.4.a
23.3.b
23.1.a

Version:

22.4.a
22.2.d

Table of Contents

Admin Guide

Download PDF
Copy Doc ID da627a26-84e2-11ee-a142-fa163e15d75b:194051
Copy Link

Configure wildcard LDAP users for FTC service

Your can use the following commands to configure FortiGate wildcard LDAP users to use FortiToken Cloud for MFA.

config user ldap

edit "EngLDAP"

set server "xx.xxx.xx.xx"

set cnid "uid"

set dn "dc=srv,dc=world"

set type regular

set two-factor fortitoken-cloud

set username "cn=Manager,dc=srv,dc=world"

set password ENC LWdyb+/k6e4TtSk070tODaCZAcbgEGKohA==

next

end

Wildcard LDAP users are those of a remote LDAP server user group, whose user configuration is unknown to FortiGate. Each end-user should have the following attributes configured on the LDAP server:

  • mail: user_email_address (e.g., mail: user1@abc.com)
  • mobile: user_phone_number (e.g., mobile: +14080123456)
Note
  • In FortiOS, the "mail" attribute is mandatory and required of each user, while the "mobile" attribute is optional.
  • FTC requires that the phone number be in the format of " +(country_code)(areacode_number)".

During user configuration, the FortiGate-FTC user APIs are called for add-user, delete-user, modify-user with the following information in each API:

  • Username
  • VDOM name
  • FortiGate serial number (SN)
  • HA cluster membership information (if it's part of an HA configuration)

If an API requires the user ID, e.g., the delete-user API, FortiOS must use the GET API to retrieve the user ID from FTC.

Note

  • From FOS 6.2.4 and 6.4.0, wildcard LDAP users are automatically synced from the remote AD/LDAP to FTC by FOS when FOS is configured to use FTC for remote wild card users on the remote AD/LDAP server. The frequency of this auto-sync for wildcard AD/LDAP users is once every 24 hours.

  • sAMAccountName as cnid is not supported before FOS 6.4.6.
Previous
Next

Configure wildcard LDAP users for FTC service

Your can use the following commands to configure FortiGate wildcard LDAP users to use FortiToken Cloud for MFA.

config user ldap

edit "EngLDAP"

set server "xx.xxx.xx.xx"

set cnid "uid"

set dn "dc=srv,dc=world"

set type regular

set two-factor fortitoken-cloud

set username "cn=Manager,dc=srv,dc=world"

set password ENC LWdyb+/k6e4TtSk070tODaCZAcbgEGKohA==

next

end

Wildcard LDAP users are those of a remote LDAP server user group, whose user configuration is unknown to FortiGate. Each end-user should have the following attributes configured on the LDAP server:

  • mail: user_email_address (e.g., mail: user1@abc.com)
  • mobile: user_phone_number (e.g., mobile: +14080123456)
Note
  • In FortiOS, the "mail" attribute is mandatory and required of each user, while the "mobile" attribute is optional.
  • FTC requires that the phone number be in the format of " +(country_code)(areacode_number)".

During user configuration, the FortiGate-FTC user APIs are called for add-user, delete-user, modify-user with the following information in each API:

  • Username
  • VDOM name
  • FortiGate serial number (SN)
  • HA cluster membership information (if it's part of an HA configuration)

If an API requires the user ID, e.g., the delete-user API, FortiOS must use the GET API to retrieve the user ID from FTC.

Note

  • From FOS 6.2.4 and 6.4.0, wildcard LDAP users are automatically synced from the remote AD/LDAP to FTC by FOS when FOS is configured to use FTC for remote wild card users on the remote AD/LDAP server. The frequency of this auto-sync for wildcard AD/LDAP users is once every 24 hours.

  • sAMAccountName as cnid is not supported before FOS 6.4.6.
Previous
Next