Chapter 3 Authentication for FortiOS 5.0 : Authentication servers : LDAP servers : Configuring the FortiGate unit to use an LDAP server
  
Configuring the FortiGate unit to use an LDAP server
After you determine the common name and distinguished name identifiers and the domain name or IP address of the LDAP server, you can configure the server on the FortiGate unit. The maximum number of remote LDAP servers that can be configured is 10.
One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see “Creating users”.
To configure the FortiGate unit for LDAP authentication - web-based manager
1. Go to User & Device > Authentication > LDAP Servers and select Create New.
2. Enter a Name for the LDAP server.
3. In Server Name/IP enter the server’s FQDN or IP address.
4. If necessary, change the Server Port number. The default is port 389.
5. Enter the Common Name Identifier (20 characters maximum).
6. cn is the default, and is used by most LDAP servers.
7. In the Distinguished Name field, enter the base distinguished name for the server using the correct X.500 or LDAP format.
The FortiGate unit passes this distinguished name unchanged to the server. The maximum number of characters is 512.
If you don’t know the distinguished name, leave the field blank and select the Query icon to the right of the field. See the “Using the Query icon”.
8. In Bind Type, select Regular.
9. In User DN, enter the LDAP administrator’s distinguished name.
10. In Password, enter the LDAP administrator’s password.
11. Select OK.
 
To verify your Distinguished Name field is correct, you can select the Test button. If your DN field entry is valid, you will see the part of the LDAP database it defines. If your DN field entry is not valid, it will display an error message and return no information.
For detailed information about configuration options for LDAP servers, see the Online Help on your FortiGate unit or the FortiGate CLI Reference.
To configure the FortiGate unit for LDAP authentication - CLI example
config user ldap
edit ourLDAPsrv
set server 10.11.101.160
set cnid cn
set dn cn=users,dc=office,dc=example,dc=com
set type regular
set username cn=administrator,cn=users,dc=office,dc=example,dc=com
set password w5AiGVMLkgyPQ
set password-expiry-warning enable
set password-renewal enable
end