LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network.
In the LDAP protocol there are a number of operations a client can request such as search, compare, and add or delete an entry. Binding is the operation where the LDAP server authenticates the user. If the user is successfully authenticated, binding allows the user access to the LDAP server based on that user’s permissions.
To configure general LDAP service settings, go to Authentication > LDAP Service > General.
LDAP server certificate | Select the certificate that the LDAP server will present from the drop-down list. |
Certificate authority type | Select either Local CA or Trusted CA. |
CA certificate that issued the server certificate | Select the CA certificate that issued the server certificate from the drop-down list. |
Select OK to apply any changes that you have made.
The LDAP tree defines the hierarchical organization of user account entries in the LDAP database. The FortiGate unit requesting authentication must be configured to address its request to the right part of the hierarchy.
An LDAP server’s hierarchy often reflects the hierarchy of the organization it serves. The root represents the organization itself, usually defined as Domain Component (DC), a DNS domain, such as example.com
(as the name contains a dot, it is written as two parts separated by a comma: dc=example,dc=com
). Additional levels of hierarchy can be added as needed; these include:
The user account entries relevant to user authentication will have element names such as user ID (UID) or common name (CN); the user's name. They can each be placed at their appropriate place in the hierarchy.
Complex LDAP hierarchies are more common in large organizations where users in different locations and departments have different access rights. For basic authenticated access to your office network or the Internet, a much simpler LDAP hierarchy is adequate.
The following is a simple example of an LDAP hierarchy in which the all user account entries reside at the Organization Unit (OU) level, just below DC.
When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part of the hierarchy where the user account record can be found. This is called the Distinguished Name (DN). In the above example, DN is ou=People,dc=example,dc=com
.
The authentication request must also specify the particular user account entry. Although this is often called the Common Name (CN), the identifier you use is not necessarily CN. On a computer network, it is appropriate to use UID, the person’s user ID, as that is the information that they will provide at logon.
The following sections provide a brief explanation of each part of the LDAP attribute directory, what is commonly used for representation, and how to configure it on FortiAuthenticator.
When an object name includes a space, as in Test Users, you have to enclose the text with double-quotes. For example: cn="Test Users",cn=Builtin,dc=get,dc=local. |
The root node is the top level of the LDAP directory. There can be only one. All groups, OUs, and users branch off from the root node. Choose a DN that makes sense for your organization’s root node.
There are three common forms of DN entries:
The most common consists of one or more DC elements making up the DN. Each part of the domain has its own DC entry. This comes directly from the DNS entry for the organization. For example, for example.com, the DN entry is "dc=example,dc=com"
.
Another popular method is to use the company’s Internet presence as the DN. This method uses the domain name as the DN. For example, for example.com, the DN entry would be "o=example.com"
.
An older method is to use the company name with a country entry. For example, for Example Inc. operating in the United States, the DN would be o="Example, Inc.",c=US
. This makes less sense for international companies.
When you configure FortiGate units to use the FortiAuthenticator unit as an LDAP server, you will specify the distinguished name that you created here. This identifies the correct LDAP structure to reference. |
dc=example,dc=com
to edit the entry.Example: "dc=fortinet,dc=com"
.
If your domain name has multiple parts to it, such as shiny.widgets.example.com, each part of the domain should be entered as part of the DN, for example: dc=shiny,dc=widgets,dc=example,dc=com |
You can add a subordinate node at any level in the hierarchy as required.
For example, to add the ou=People
node from the earlier example, select Organizational Unit (ou).
Nodes can be edited after creation by selecting the edit, or pencil, icon next to the node name.
You must add user account entries at the appropriate place in the LDAP tree. These users must already be defined in the FortiAuthenticator user database. See Adding a user.
In the earlier example, you would do this on the ou=People
node.
The list of available users is displayed. You can choose to display them alphabetically by either user group or user.
You can verify your users were added by expanding the node to see their UIDs listed below it.
At times you may want to rearrange the hierarchy of the LDAP structure. For example a department may be moved from one country to another.
While it is easy to move a branch in the LDAP tree, all systems that use this information will need to be updated to the new structure or they will not be able to authenticate users. |
When the branch is hovered above a valid location, an arrow will appear to the left of the current branch to indicate where the new branch will be inserted. It will be inserted below the entry with the arrow.
Adding entries to the directory tree involves placing the attribute at the proper place. However, when removing entries it is possible to remove multiple branches at one time.
Take care not to remove more branches than you intend. Remember that all systems using this information will need to be updated to the new structure or they will not be able to authenticate users. |
You will be prompted to confirm your deletion. Part of the prompt displays the message of all the entries that will be removed with this deletion. Ensure this is the level that you intend to delete.
If the deletion was successful there will be a green check next to the successful message above the LDAP directory and the entry will be removed from the tree.
When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate units to access the FortiAuthenticator as an LDAP server and authenticate users.