FortiGate VDOM integration to LDAP

Posted by
Facebooktwitterredditpinterestlinkedintumblr

Fortigate Virtual Domain (VDOM) is a virtualisation feature by creating virtual instance of Firewall. Each VDOM can provide completely separate firewalling, routing, unified threat management (UTM) , virtual private networking (VPN), and next generation firewall services. All traffic enters and leaves a VDOM completely separated from traffic from other VDOMs.

This blog shows you how to integrate Fortigate VDOM to LDAP.

1. Enable Virtual Domain (VDOM) on Fortigate.

fortigate_enable_vdom

2. Under Global configuration mode go to VDOM > VDOM > Create additional VDOM called test. Note that Fortigate automatically creates root VDOM.

fortigate_create_vdom

3. Assign port to VDOMs.

4. Go to root VDOM > User and Device > Authentication > LDAP servers > Create new LDAP server.

Name: Any descriptive name
Server Name/IP: Hostname/IP address of LDAP server
Server Port: 389
Common name identifier: sAMAccountName+
Distinguished Name: DC=test,DC=local
Bind type: Regular
User DN: [email protected]
Password: password

5. Go to root VDOM > User and Device > User Groups > LDAP servers > Create new user group.

fortigate_create_user_group

Name: Any descriptive name
Type: Firewall
Members: Leave it blank
Remote groups: Select LDAP server created on step 4
Group name: Map to LDAP group

6. Go to Global firewall configuration > Admin > Administrators > Create new administrator.

Administrator: Any descriptive name
Type: Remote
Wildcard: Yes
User group: Select the user group created on step 5.

There is a bug on this part where Fortigate doesn’t show the available user groups. The workaround is to configure it via CLI.

config global
  config system admin
   edit username
    set remote-group usergroup
    end
   end
  end

Leave a Reply

Your email address will not be published. Required fields are marked *

*