To enable LDAP based user-authentication on a fortigate Unit with Firmware 4.x and newer we need at least 3 different settings
1. Define LDAP server
config user ldap
edit „LDAP-DC01“ //LDAP-Config-Name (Not the Servername)
set server „10.10.0.110“ //LDAP-Server IP or FQDN (must be resolveable by Fortigate)
set cnid „cn“ //searchtype
set dn „DC=domain,DC=intra“ //Searchpoint where start searching for Users and Groups
set type regular //enables Search trough AD starting at the Searchpoint
set username „fortildap@domain.intra“ //Username of an AD-User, use format: User@domain.tld
set password ENC XXXXXXX //User-PW
set filter “ //obsolet with FW 4.0 and above
next
end
2. Define usergroup using the LDAP server
config user group
edit „SSL-VPN-LDAP-User“ //New Group
set sslvpn-portal „SSL-VPN-AdminUser“ //Portal allowed for the Users
set member „LDAP-DC01“ //Used LDAP-Config-Name
config match //Matching filter
edit 1
set server-name „LDAP-DC01“ //LDAP-Config-Name
set group-name „CN=GRP-SSL-VPN-allow,OU=2ndOU,OU=1stOU,DC=domain,DC=intra“ //Group defind in the Active Directory for allowed SSL-Users
next
end
next
end
3. define a firewall policy
edit
set srcintf „wan1“ //Source Network
set dstintf „internal“ //Destination Network
set srcaddr „all“ //Source Network any-IP
set dstaddr „Subnet-Intranet“ //Destination Network Subnet-Object
set action ssl-vpn //SSl-VPN Authentication Policy-type
config identity-based-policy
edit
set schedule „always“ //schedule-times
set groups „SSL-VPN-LDAP-User“ //User-Group definded under config user group
set service „ANY“ //Allowed services
next
end
next
UPDATE:
To authenticate with the Logon-Name instead the Full Name you can set the cnid (searchtype) in the „config user ldap“ settings as shown next:
Change
set cnid „cn“
to
set cnid “sAMAccountName”