Chapter 3 Authentication for FortiOS 5.0 : Single Sign-On to Windows AD : Configuring Single Sign On to Windows AD : Configuring LDAP server access
  
Configuring LDAP server access
The FortiGate unit needs access to the domain controller’s LDAP server to retrieve user group information.
The LDAP configuration on the FortiGate unit not only provides access to the LDAP server, it sets up the retrieval of Windows AD user groups for you to select in FSSO. The LDAP Server configuration (in User & Device > Authentication > LDAP Servers) includes a function to preview the LDAP server’s response to your distinguished name query. If you already know the appropriate Distinguished Name (DN) and User DN settings, you may be able to skip some of the following steps.
To add an LDAP server - web-based manager
1. Go to User & Device > Authentication > LDAP Servers and select Create New.
2. Enter the Server Name/IP and Server Port (default 389).
3. Select the Query distinguished name button to the right of the Distinguished Name field.
A new window opens.
4. If more than one name is listed, you might need to explore each name following the steps below to determine which one is relevant to your needs.
5. Copy the name string to the Distinguished Name field and select OK.
This closes the window and copies the name string to the Distinguished Name field of the LDAP Server configuration.
6. Set Bind Type to Regular.
7. In the User DN field, enter the administrative account name that you created for FSSO.
For example, if the account is FSSO_Admin, enter “cn=FSSO_Admin,cn=users”.
8. Make sure that the User DN entry ends with a comma and append the string from the Distinguished Name field to the end of it.
Example: cn=FSSO_Admin,cn=users,dc=office,dc=example,dc=com
9. Enter the administrative account password in the Password field.
10. Select the Query distinguished name button again.
The LDAP Distinguished Name Query window opens:
Figure 117: Authenticated DN query
You can expand any of the DNs that contain entries. When you select an expandable DN, the Distinguished Name field is updated. Look for the DN that contains the users or groups whose logon you want to monitor.
11. Select the DN that you want to monitor and then select OK.
This closes the window and updates the Distinguished Name field of the LDAP Server configuration with the selected Domain Name Identifier (DNI).
12. Check the following fields and select OK:
Name
Enter a name to identify the LDAP server.
Common Name Identifier
The default common name identifier is cn. This is correct for most LDAP servers. However some servers use other identifiers such as uid.
Secure Connection
Optional.
To configure LDAP for FSSO - CLI example
config user ldap
edit "ADserver"
set server "10.11.101.160"
set cnid "cn"
set dn "cn=users,dc=office,dc=example,dc=com"
set type regular
set username "cn=administrator,cn=users,dc=office,dc=example,dc=com"
set password set_a_secure_password
next
end