Users : Offloading HTTP authentication & authorization : Configuring queries for remote end-user accounts : Configuring LDAP queries
 
Configuring LDAP queries
FortiWeb can use LDAP queries to authenticate and authorize end-users’ HTTP requests to protected web sites. For details, see “Offloading HTTP authentication & authorization”. FortiWeb can also use LDAP queries to authenticate administrators’ access to the web UI or CLI. For details, see “Grouping remote authentication queries for administrators”.
 
If you use an LDAP query for administrators, separate it from the queries for regular users. Do not combine administrator and user queries into a single entry. Failure to separate queries will allow end-users to have administrative access the FortiWeb web UI and CLI. If administrators are in the same directory but belong to a different group than end-users, you can use Group Authentication to exclude end-users from the administrator LDAP query.
Supported servers may implement the underlying technology and group membership in different ways, such as with OpenLDAP, Microsoft Active Directory, IBM Lotus Domino, and Novell eDirectory. Match the distinguished names (DN) and group membership attributes (Group Type) with your LDAP directory’s schema.
If this query will be used to authenticate administrators, and your LDAP server is slow to answer, you may need to adjust the authentication timeout setting to prevent the query from failing. See the FortiWeb CLI Reference. (For end-user queries, configure Connection Timeout instead.)
To configure an LDAP query
1. Before you configure the query, if it will use a secure connection, you must upload the certificate of the CA that signed the LDAP server’s certificate. For details, see “Uploading trusted CAs’ certificates”.
2. Go to User > Remote Server > LDAP Server.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see “Permissions”.
3. Click Create New.
A dialog appears.
4. Configure these settings:
Setting name
Description
Name
Type a unique name that can be referenced in other parts of the configuration.
Do not use special characters. The maximum length is 35 characters.
Note: This is the name of the query only, not the administrator or end-user’s account name/login. Administrator account names are defined in Administrator.
Server IP
Type the IP address of the LDAP server.
Server Port
Type the port number where the LDAP server listens.
The default port number varies by your selection in Secure Connection: port 389 is typically used for non-secure connections or for STARTTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections.
Common Name Identifier
Type the identifier for the common name (CN) attribute (also called the CNID) whose value is the user name.
Identifiers vary by your LDAP directory’s schema. This is often cn or uid. For Active Directory, it is often the attribute sAMAccountName.
For example, in a default OpenLDAP directory, if a user object is:
uid=hlee,cn=users,dc=example,dc=com
then the CNID is uid.
For an additional example for Active Directory, see “Example for a configuration for AD”.
Distinguished Name
Specifies the Base DN from which the LDAP query starts. This DN is the full path in the directory to the user account objects.
For example:
ou=People,dc=example,dc=com
or
cn=users,dc=example,dc=com
Bind Type
Select one of the following LDAP query binding styles:
Simple Bind using the client-supplied password and a bind DN assembled from the Common Name Identifier, Distinguished Name, and the client-supplied user name.
RegularBind using a bind DN and password that you configure in User DN and Password. This also allows for group authentication.
AnonymousDo not provide a bind DN or password. Instead, perform the query without authenticating. Select this option only if the LDAP directory supports anonymous queries.
User DN
Type the bind DN of an LDAP user account with permissions to query the Distinguished Name.
For example:
cn=FortiWebA,dc=example,dc=com
For Active Directory, the UPN (User Principle Name) is often used instead of a bind DN (for example, user@domain.com)
The maximum length is 255 characters.
This field can be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries.
This field is not displayed if Bind Type is Anonymous or Simple.
Password
Type the password of the User DN.
This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if Bind Type is Anonymous or Simple.
Filter
Type an LDAP query filter string that filters the query’s results based on any attribute in the record set.
For example:
(&(|(objectClass=user)(objectClass=group)(objectClass=publicFolder)))
This filter improves the speed and efficiency of the queries.
For syntax, see an LDAP query filter reference. If you do not want to exclude any accounts from the query, leave this setting blank.
The maximum length is 255 characters.
This option appears when Bind Type is Regular.
Group Authentication
Enable to filter the query results, only allowing users to authenticate if they are members of the LDAP group that you define in Group DN. Users that are not members of that group will not be allowed to authenticate. Also configure Group Type and Group DN.
This option appears only when Bind Type is Regular.
Group Type
Indicate the schema of your LDAP directory, either:
OpenLDAP — The directory uses a schema where each user object’s group membership is recorded in an attribute named gidNumber. This is usually an OpenLDAP directory, or another directory where the object class inetOrgPerson or posixAccount.
Windows-AD — The directory uses a schema where each user object’s group membership is recorded in an attribute named memberOf. This is usually a Microsoft Active Directory server.
eDirectory — The directory uses a schema where each user object’s group membership is recorded in an attribute named groupMembership. This is usually a Novell eDirectory server.
Group membership attributes may have different names depending on an LDAP directory schemas. The FortiWeb appliance will use the group membership attribute that matches your directory’s schema when querying the group DN.
This option appears only when Bind Type is Regular and Group Authentication is enabled.
Group DN
Type the value of the group membership attribute that query results must have in order to be able to authenticate.
The value may vary by your directory’s schema, but may be the distinguished name such as ou=Groups,dc=example,dc=com or a group ID (GID) such as 100.
This option appears only when Bind Type is Regular and Group Authentication is enabled. The maximum length is 255 characters.
Secure Connection
Enable to connect to the LDAP servers using an encrypted connection, then select the style of the encryption in Protocol.
Protocol
Select which secure LDAP protocol to use, either
LDAPS
STARTTLS
The option appears only when Secure Connection is enabled.
5. Click OK.
6. If you enabled Secure Connection, upload the certificate of the CA that signed the directory server’s certificate (see “Uploading trusted CAs’ certificates”).
7. Return to User > Remote Server > LDAP User, double-click the row of the query, then click the Test LDAP button to verify that FortiWeb can connect to the server, that the query is correctly configured, and that (if binding is enabled) the query bind is successful.
In username, type only the value of the CNID attribute, such as hlee, not the entire DN of the administrator’s account. In password, type the password for the account.
8. If the query is for administrator accounts that you want to allow to access the FortiWeb web UI, select the query in a remote authentication query group (see “Grouping remote authentication queries for administrators”).
If the query is for user accounts that you want to allow to authenticate with web servers, to activate the user account, you must indirectly include it in a server policy. Continue with “Grouping users”. (For an overview, see “To configure and activate end-user accounts”.)
See also
Configuring RADIUS queries
Configuring NTLM queries