LDAP User
FortiGate Version 4.0 MR1 Administration Guide
658 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
If you have configured LDAP support and require a user to authenticate using an LDAP
server, the FortiGate unit contacts the LDAP server for authentication. To authenticate
with the FortiGate unit, the user enters a user name and password. The FortiGate unit
sends this user name and password to the LDAP server. If the LDAP server can
authenticate the user, the FortiGate unit successfully authenticates the user. If the LDAP
server cannot authenticate the user, the FortiGate unit refuses the connection.
The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight
Directory Access Protocol v3, for looking up and validating user names and passwords.
FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate
LDAP supports LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the
FortiGate CLI Reference.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of
password expiration, that is available from some LDAP servers. Nor does the FortiGate
LDAP supply information to the user about why authentication failed.
To view the list of LDAP servers, go to User > Remote > LDAP.
Figure 406: Example LDAP server list
Configuring an LDAP server
A directory is a set of objects with similar attributes organized in a logical and hierarchical
way. Generally, an LDAP directory tree reflects geographic or organizational boundaries,
with the Domain Name System (DNS) names at the top level of the hierarchy. The
common name identifier for most LDAP servers is cn; however some servers use other
common name identifiers such as uid.
For example, you could use the following base distinguished name:
ou=marketing,dc=fortinet,dc=com
where ou is organization unit and dc is a domain component.
You can also specify multiple instances of the same field in the distinguished name, for
example, to specify multiple organization units:
ou=accounts,ou=marketing,dc=fortinet,dc=com
Create New Add a new LDAP server. The maximum number is 10.
Name The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP The domain name or IP address of the LDAP server.
Port The TCP port used to communicate with the LDAP server.
Common Name
Identifier
The common name identifier for the LDAP server. Most LDAP servers use cn.
However, some servers use other common name identifiers such as uid.
Distinguished
Name
The distinguished name used to look up entries on the LDAP servers use. The
distinguished name reflects the hierarchy of LDAP database object classes
above the common name identifier.
Delete icon Delete the LDAP server configuration.
Edit icon Edit the LDAP server configuration.
To Next Page
Loading...
Need help?
General
