Lightweight Directory Access Protocol (LDAP) is a standardized Internet protocol used to store and manage authentication information, which may include users, groups, departments, passwords, email addresses, and network resources such as printers. LDAP defines a data representation model, a set of operations, and a request/response mechanism for communication between clients and servers.
When LDAP authentication is configured, the Fortimanager forwards administrator login credentials to the designated LDAP server for verification. If the LDAP server successfully authenticates the credentials, the administrator is granted access to the Fortimanager. If authentication fails, the login request is denied.
Prior to enabling administrator authentication through LDAP, the LDAP server must be properly configured on the Fortimanager. Once the server settings are defined, administrator accounts can then be created to use LDAP authentication.
To add an LDAP server:
- Go to System Settings > Admin > Remote Authentication Server.
- Select Create New > LDAP Server from the toolbar. The New LDAP Server pane opens.
- Configure the following settings, and then click OK to add the LDAP server.
We will create 2 Remote authentication servers, one for RO and one for RW
Please refer below image where we will create two groups one each for RO and RW. please repeat the steps for any number of groups that we can to create
user a service account in format : domain\service_account
Group is important for this to function
you can get the group information from AD using below command
dsquery group -name GROUP_NAME
Post that use that details in group section under Advanced Options
Hit the Query button to check if we can parse AD Tree successfully or not. if not, then please check your service account credentials
Note: if you are unable to see USERNAME and PASSWORD section, then use CLI to add them once you have created the LDAP server object in FMG via GUI
After Creating the Remote Authentication Servers with two groups called in it.
Create Admin Profiles or use the default ones with required privileges
System Settings > Admin Profiles
After we have created Admin Profiles. We have to create new Administrators with desired profile
Go to : System > Administrators > Create New
Select Admin Type as “LDAP” and from the Drop down select the LDAP servers that we created for RO or RW.
Verification:
from FMG cli use below command to debug and troubleshooting
diag debug application auth 8
You will see the hits on the required policy and matching group.
Thats it..!
Happy Networking…!