Fortinet white logo
Fortinet white logo

Administration Guide

Retrieving LDAP users attributes

Retrieving LDAP users attributes

FortiWeb now supports retrieving user attributes from the LDAP server and forwarding them to the back-end server. This feature is useful for scenarios where the back-end server needs detailed user information to achieve granular user management, such as rendering resources based on the user's role.

Configurations on FortiWeb

Step 1: Specifying the attributes to be retrieved

In the LDAP Server settings, specify the attributes to be retrieved from the LDAP server.

  1. Go to User > Remote Server and select the LDAP Server tab.
  2. From the LDAP server table, select the server that you want to retrieve attributes from.
  3. In the Extracted Attributes section, click Create New to add attributes.
  4. Configure the following:
    Name

    FortiWeb supports retrieving up to 16 attributes from the LDAP server. Choose from the predefined names.

    This name will serve as a reference in the Site Publish rule. The actual attribute name should be specified in the Attribute Name field below.

    Attribute NameSpecify the name of the attribute you want FortiWeb to retrieve, for example, "email".
  5. Click OK.

Step 2: Referencing the attribute in a site publish rule

Specify the attributes in a site publish rule, so that FortiWeb can insert custom headers to carry the corresponding attributes in the packet sent to back-end servers.

  1. Go to Application Delivery > Site Publish > Site Publish and select the Site Publish Rule tab.
  2. From the Site Publish Rule table, select the rule you want to configure.
  3. In the Custom Headers section, click Create New. FortiWeb will insert the specified headers in the packet sent to back-end servers.
  4. Configure the following:
    Custom Header Name

    Enter a name for the HTTP header. For example, "LADP-email".

    Custom Header Value Format

    Specify the format of the header value. The name of the attribute you have created in LDAP Server should appear as a variable, such as "$LDAP.ATTRIBUTE1".

    It can be simply the reference of the attribute you have created, such as "$LDAP.ATTRIBUTE1", or you can add prefix or suffix to it, such as "fwb-$LDAP.ATTRIBUTE1-ldap".

    FortiWeb will look up the value of the corresponding attribute and populate it in the HTTP header.

  5. Click OK.
  6. Repeat the steps above to add more headers.

Example

If you want FortiWeb to extract the value of the Email attribute and forward it as an HTTP header in the packet to the back-end server, configure the following settings.

In LDAP server, add the following attribute:

Name

ATTRIBUTE1

Attribute Name Email

In Site Publish rule, add the following custom header:

Custom Header Name

LDAP-Email

Custom Header Value Format $LDAP.ATTRIBUTE1

When FortiWeb receives a request from a client, it will retrieve the "Email" attribute of this user from the LDAP server (assuming it is "Email:user1@example.com"), then forward the following HTTP header to the back-end server:

LDAP-Email:user1@example.com

Related topics:

Retrieving LDAP users attributes

Retrieving LDAP users attributes

FortiWeb now supports retrieving user attributes from the LDAP server and forwarding them to the back-end server. This feature is useful for scenarios where the back-end server needs detailed user information to achieve granular user management, such as rendering resources based on the user's role.

Configurations on FortiWeb

Step 1: Specifying the attributes to be retrieved

In the LDAP Server settings, specify the attributes to be retrieved from the LDAP server.

  1. Go to User > Remote Server and select the LDAP Server tab.
  2. From the LDAP server table, select the server that you want to retrieve attributes from.
  3. In the Extracted Attributes section, click Create New to add attributes.
  4. Configure the following:
    Name

    FortiWeb supports retrieving up to 16 attributes from the LDAP server. Choose from the predefined names.

    This name will serve as a reference in the Site Publish rule. The actual attribute name should be specified in the Attribute Name field below.

    Attribute NameSpecify the name of the attribute you want FortiWeb to retrieve, for example, "email".
  5. Click OK.

Step 2: Referencing the attribute in a site publish rule

Specify the attributes in a site publish rule, so that FortiWeb can insert custom headers to carry the corresponding attributes in the packet sent to back-end servers.

  1. Go to Application Delivery > Site Publish > Site Publish and select the Site Publish Rule tab.
  2. From the Site Publish Rule table, select the rule you want to configure.
  3. In the Custom Headers section, click Create New. FortiWeb will insert the specified headers in the packet sent to back-end servers.
  4. Configure the following:
    Custom Header Name

    Enter a name for the HTTP header. For example, "LADP-email".

    Custom Header Value Format

    Specify the format of the header value. The name of the attribute you have created in LDAP Server should appear as a variable, such as "$LDAP.ATTRIBUTE1".

    It can be simply the reference of the attribute you have created, such as "$LDAP.ATTRIBUTE1", or you can add prefix or suffix to it, such as "fwb-$LDAP.ATTRIBUTE1-ldap".

    FortiWeb will look up the value of the corresponding attribute and populate it in the HTTP header.

  5. Click OK.
  6. Repeat the steps above to add more headers.

Example

If you want FortiWeb to extract the value of the Email attribute and forward it as an HTTP header in the packet to the back-end server, configure the following settings.

In LDAP server, add the following attribute:

Name

ATTRIBUTE1

Attribute Name Email

In Site Publish rule, add the following custom header:

Custom Header Name

LDAP-Email

Custom Header Value Format $LDAP.ATTRIBUTE1

When FortiWeb receives a request from a client, it will retrieve the "Email" attribute of this user from the LDAP server (assuming it is "Email:user1@example.com"), then forward the following HTTP header to the back-end server:

LDAP-Email:user1@example.com

Related topics: