Technical Note: Configuring Active Directory groups as remote administrators in FortiManager and FortiAnalyzer
This article gives an example of configuring Active Directory groups as remote administrators in FortiManager and FortiAnalyzer using LDAP query.
The goal is to give admin rights to users that are members of certain AD security group.
This example uses AD as it is a popular directory solution, but the configuration will be similar for many other LDAP servers.
There is a primary domain controller at 10.0.0.1 and a secondary one at 10.0.0.11.
The test domain is called “tri.ton”.
OU “RemoteAdmins” contains the admin groups, “fmgAdmins” and “fazAdmins” will be used as will the service account “LDAPservice”.
“LDAPservice” is set with domain admin privileges and never expiring password, and will be used as LDAP bind account.
The users “test1” and “test2” from the container “Users” will be the new FortiManager admins.
CLI will be used to set this on the FortiManager or FortiAnalyzer. For example:
config system admin ldap edit "AD1" set server "10.0.0.1" set secondary-server "10.0.0.11" set port 389 set cnid "sAMAccountName" set dn "DC=tri,DC=ton" set type regular set username "CN=LDAPservice,OU=RemoteAdmins,DC=tri,DC=ton" set password ADpaSSword!2# set adom "all_adoms" set group CN=fmgAdmins,OU=RemoteAdmins,DC=tri,DC=ton set filter (&(objectcategory=group)(member=*)) next end
The result of this configuration will be that all domain users, but only if members of the group "fmgAdmins" can login to FortiManager. The same is respectively valid for FortiAnalyzer.
Some of the above settings are also available in the GUI under System Settings > Remote Auth Server.
Once the LDAP setting is ready it can be used in wildcard admin user configuration. For example:
config system admin user edit "RemoteAdmins" set profileid "Super_User" set adom "all_adoms" set policy-package "all_policy_packages" set user_type ldap set ldap-server "AD1" set wildcard enable next end
Or from the GUI:
With the above configuration, the test users can now login to FortiManager with their "sAMAccountName" (User Logon Name) and AD password.
Last Modified Date: 12-05-2018 Document ID: FD37328