Retrieving LDAP users attributes
FortiWeb now supports retrieving user attributes from the LDAP server and forwarding them to the back-end server. This feature is useful for scenarios where the back-end server needs detailed user information to achieve granular user management, such as rendering resources based on the user's role.
Configurations on FortiWeb
Step 1: Specifying the attributes to be retrieved
In the LDAP Server settings, specify the attributes to be retrieved from the LDAP server.
- Go to User > Remote Server and select the LDAP Server tab.
- From the LDAP server table, select the server that you want to retrieve attributes from.
- In the Extracted Attributes section, click Create New to add attributes.
- Configure the following:
Name FortiWeb supports retrieving up to 16 attributes from the LDAP server. Choose from the predefined names.
This name will serve as a reference in the Site Publish rule. The actual attribute name should be specified in the Attribute Name field below.
Attribute Name Specify the name of the attribute you want FortiWeb to retrieve, for example, "email". - Click OK.
Step 2: Referencing the attribute in a site publish rule
Specify the attributes in a site publish rule, so that FortiWeb can insert custom headers to carry the corresponding attributes in the packet sent to back-end servers.
- Go to Application Delivery > Site Publish > Site Publish and select the Site Publish Rule tab.
- From the Site Publish Rule table, select the rule you want to configure.
- In the Custom Headers section, click Create New. FortiWeb will insert the specified headers in the packet sent to back-end servers.
- Configure the following:
Custom Header Name Enter a name for the HTTP header. For example, "LADP-email".
Custom Header Value Format Specify the format of the header value. The name of the attribute you have created in LDAP Server should appear as a variable, such as "$LDAP.ATTRIBUTE1".
It can be simply the reference of the attribute you have created, such as "$LDAP.ATTRIBUTE1", or you can add prefix or suffix to it, such as "fwb-$LDAP.ATTRIBUTE1-ldap".
FortiWeb will look up the value of the corresponding attribute and populate it in the HTTP header.
- Click OK.
- Repeat the steps above to add more headers.
Example
If you want FortiWeb to extract the value of the Email attribute and forward it as an HTTP header in the packet to the back-end server, configure the following settings.
In LDAP server, add the following attribute:
Name |
ATTRIBUTE1 |
Attribute Name |
In Site Publish rule, add the following custom header:
Custom Header Name |
LDAP-Email |
Custom Header Value Format | $LDAP.ATTRIBUTE1 |
When FortiWeb receives a request from a client, it will retrieve the "Email" attribute of this user from the LDAP server (assuming it is "Email:user1@example.com"), then forward the following HTTP header to the back-end server:
LDAP-Email:user1@example.com
Related topics: