FortiOS v3.0 MR7 User Authentication User Guide
20 01-30007-0347-20080828
LDAP servers Authentication servers
FortiGate LDAP does not support proprietary functionality, such as notification of
password expiration, which is available from some LDAP servers. FortiGate LDAP
does not supply information to the user about why authentication failed.
To configure your FortiGate unit to work with an LDAP server, you need to
understand the organization of the information on the server.
The top of the hierarchy is the organization itself. Usually this is defined as
Domain Component (DC), a DNS domain. If the name contains a dot, such as
“example.com”, it is written as two parts: “dc=example,dc=com”.
In this example, Common Name (CN) identifiers reside at the Organization Unit
(OU) level, just below DC. The Distinguished Name (DN) is
ou=People,dc=example,dc=com.
In addition to the DN, the FortiGate unit needs an identifier for the individual
person. Although the FortiGate unit GUI calls this the Common Name (CN), the
identifier you use is not necessarily CN. On some servers, CN is the full name of a
person. It might be more convenient to use the same identifier used on the local
computer network. In this example, User ID (UID) is used.
You need to determine the levels of the hierarchy from the top to the level that
contains the identifier you want to use. This defines the DN that the FortiGate unit
uses to search the LDAP database. Frequently used distinguished name
elements include:
• pw (password)
• cn (common name)
• ou (organizational unit)
• o (organization)
• c (country)
One way to test this is with a text-based LDAP client program. For example,
OpenLDAP includes a client, ldapsearch, that you can use for this purpose.
Enter the following command:
ldapsearch -x '(objectclass=*)'