Configuring LDAP Remote Servers with FortiAuthenticator

Published on: 02-26-2023 By Satyam Maurya

Configuring LDAP Remote Servers with FortiAuthenticator

LDAP (Lightweight Directory Access Protocol) allows you to integrate existing LDAP servers with FortiAuthenticator to provide user authentication and directory services. This guide will take you through the steps of configuring remote LDAP servers with FortiAuthenticator, ensuring a secure and smooth integration process.

Steps to Add a Remote LDAP Server Entry

To add a remote LDAP server entry in FortiAuthenticator, follow these steps:

  1. Navigate to Authentication: Go to Authentication > Remote Auth. Servers > LDAP and select Create New. This will open the Create New LDAP Server window.
  2. Enter Basic Information: Provide the following details:
    • Name: Enter a name for the remote LDAP server.
    • Primary server name/IP: Enter the IP address or FQDN of the primary remote server.
    • Port: Enter the port number for the primary server.
    • Use Zero Trust tunnel: Enable this if you wish to use a zero trust tunnel.
  3. Configure Secondary Server (Optional): If using a secondary server, provide:
    • Secondary server name/IP: Enter the IP address or FQDN.
    • Secondary port: Enter the port number.
    • Use Zero Trust tunnel: Enable this if applicable.
    Note that the secondary LDAP server is only for user authentication and cannot be used for domain joining or FSSO related activities.
  4. Base Distinguished Name: Enter the base distinguished name (DN) for the server in X.500 or LDAP format.
  5. Bind Type: Select the appropriate bind type (Simple or Regular) based on your user records.
  6. Server Type: Choose the LDAP server type (Microsoft Active Directory, OpenLDAP, or Novell eDirectory) and apply the template.

Securing the Connection

To establish a secure connection between FortiAuthenticator and the remote LDAP server, follow these steps:

  1. Protocol: Select LDAPS or STARTTLS as required by the LDAP server.
  2. Trusted CA: Choose Single or All Trusted CA options.
  3. CA Certificate: Select the CA certificate to verify the server certificate.
  4. Client Certificate: Enable and select a client certificate for TLS authentication if needed.

Windows AD Domain Authentication

For user authentication in a Windows AD environment using MSCHAP2 PEAP, enable Windows AD Domain Authentication and provide the following information:

  • Kerberos realm name: The domain’s DNS name in uppercase.
  • Domain NetBIOS name: The domain’s DNS prefix in uppercase.
  • FortiAuthenticator NetBIOS name: The NetBIOS name for FortiAuthenticator.
  • Administrator username: The user account for domain association; ensure it has at least domain user privileges.
  • Administrator password: The password for the administrator account.
  • Allow Trusted Domain: Enable this setting if needed.
  • Preferred Domain Controller Hostname: Enter the preferred domain controller hostname.

Importing Remote LDAP Users

To import remote LDAP users:

  • Go to Remote LDAP Users and select Import users or Import users by group memberships.
  • Specify the LDAP server, apply filters, and edit attributes as needed: Username, First name, Last name, Email, Phone, Mobile number, and others.

Configuring Minimum Privilege Windows AD User Account

To minimize privileges, avoid using a domain administrator account to associate FortiAuthenticator with a Windows AD domain. Instead, create a non-administrator account with delegated control to manage computer objects.

  1. Create a user account with User cannot change password and Password never expires options selected.
  2. Use the Delegation of Control Wizard in Active Directory to delegate control to this user for managing computer objects with relevant permissions.

Remote LDAP Password Management

FortiAuthenticator offers multiple ways to change or reset user passwords for Windows AD users:

  • RADIUS login: Requires FortiAuthenticator joining the Windows AD domain, RADIUS client configuration, and MS-CHAPv2 support.
  • GUI User Login: Requires FortiAuthenticator joining the Windows AD domain or secure LDAP enabled with LDAP admin permissions.
  • GUI User Portal: Allows users to change their passwords after logging into the GUI portal.

Password reset, i.e., resetting a password without providing the old password, is allowed only over LDAPS if the LDAP admin has the required permissions.

Conclusion

By following these configurations, FortiAuthenticator can effectively utilize your existing LDAP servers, ensuring secure and streamlined user authentication. This integration supports up to 99 remote LDAP servers with Windows AD enabled, offering robust and flexible directory services for your organization. For more detailed guidance, refer to the official documentation at FortiAuthenticator Administration Guide.