By Manny Fernandez

May 3, 2020

Binding to LDAP with Minimum Access

Most of the documentation out there will tell you to configure a Domain Admin user to perform LDAP authentication.  When I am doing a Proof-of-Concept (PoC), and I tell a prospective customer to create me a Domain Admin user, I usually get a sigh and some evil eyes.  Sometimes this could be because a different group is required to create that user and sometimes it is a process and has regulatory impact.  Either way, I wanted to set the records straight

Minimum User in AD

2020-05-03_12-47-40

I created a normal user named minaccess .  This user, as you can see, is ONLY a member of Domain Users .

I used a user in AD to test the authentication named blevy and yes, this is a real person name Bryan Levy.  I populated my fake lab AD with people I know so that I could remember their names.  So Bryan, here is you 2 seconds of fame.

2020-05-03_12-47-16 (1).png

As you can see, he is a member of Domain Users , IT and Professional-Services although his membership is irrelevant for this test.  The relevant user access and membership is minaccess above.

FortiGate LDAP Server

2020-05-03_12-46-15.png

Here we can see the LDAP server configuration.  You can see that I am using minaccess@myinfoseclab.local as the user to bind to LDAP.  I tested connectivity and it was Successful

2020-05-03_12-46-41.png

Next, I ran the Test User Credentials and used the blevy account.  We see that the user credentials test came back as Successful

I tested the VPN using the minaccess user binding to LDAP and blevy as the user connecting to the VPN.

2020-05-03_13-16-47.png

Here you can see that I created a User Group named MinAccess and tied it to the LDAP server I created.  I chose the IT group since the user blevy was a member of it.

2020-05-03_13-17-24.png

Added the newly created user group to the SSL-VPN Settings section of the FortiGate.

2020-05-03_13-18-24.png

Modified the policy allowing the MinAccess group to the Policy.  And tested.

2020-05-03_13-23-51 (1).png

Success !!!!!

Hope this helps

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story