Technical Note: Configuring Active Directory groups as remote administrators in FortiManager and FortiAnalyzer
Products
FortiAnalyzer v5.0
FortiAnalyzer v5.2
FortiManager v5.0
FortiManager v5.2
Description
This article gives an example of configuring Active Directory groups as remote administrators in FortiManager and FortiAnalyzer using LDAP query.

The goal is to give admin rights to users that are members of certain AD security group.

This example uses AD as it is a popular directory solution, but the configuration will be similar for many other LDAP servers.
Solution
Active Directory
  • There is a primary domain controller at 10.0.0.1 and a secondary one at 10.0.0.11.
  • The test domain is called “tri.ton”.
  • OU “RemoteAdmins” contains the admin groups, “fmgAdmins” and “fazAdmins” will be used as will the service account “LDAPservice”.
  • “LDAPservice” is set with domain admin privileges and never expiring password, and will be used as LDAP bind account.
  • The users “test1” and “test2” from the container “Users” will be the new FortiManager admins.




CLI will be used to set this on the FortiManager or FortiAnalyzer. For example:
config system admin ldap
  edit "AD1"
    set server "10.0.0.1"
    set secondary-server "10.0.0.11"
    set port 389
    set cnid "sAMAccountName"
    set dn "DC=tri,DC=ton"
    set type regular
    set username "CN=LDAPservice,OU=RemoteAdmins,DC=tri,DC=ton"
    set password ADpaSSword!2#
    set adom "all_adoms"
    set group CN=fmgAdmins,OU=RemoteAdmins,DC=tri,DC=ton
    set filter (&(objectcategory=group)(member=*))
  next
end
The result of this configuration will be that all domain users, but only if members of the group "fmgAdmins" can login to FortiManager.  The same is respectively valid for FortiAnalyzer.

Some of the above settings are also available in the GUI under System Settings > Remote Auth Server.

All CLI options for the LDAP configuration can be found in the CLI Reference Guides which are available in the Fortinet Document Library, use the following link for FortiAnalyzer v5.2.

Once the LDAP setting is ready it can be used in wildcard admin user configuration.  For example:
config system admin user
    edit "RemoteAdmins"
        set profileid "Super_User"
            set adom "all_adoms"
            set policy-package "all_policy_packages"
        set user_type ldap
        set ldap-server "AD1"
        set wildcard enable
    next
end
Or from the GUI:



With the above configuration, the test users can now login to FortiManager with their "sAMAccountName" (User Logon Name) and AD password.

Last Modified Date: 12-05-2018 Document ID: FD37328