1

Topic: LDAP Authentication on fortigate

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Debian
- Related log if you're reporting an issue:
====

Hi,
I am currently trying to authenticate ldap users with my firewall for vpn purposes. I am able to authenticate just using the DN but this allows everyone in the LDAP directly to authenticate. So this is what I've done, i have added a child entry under groups in the specified domain so my LDAP tree looks something like this:

dc=something,dc=com
  o=domains
    domainName=something.com
      ou=Aliases
      ou=Externals
      ou=Groups
         cn=vpnUsers
      ou=Users

dn for the vpnUsers group which ends up being cn=vpnUsers,ou=Groups,domainName=something.com,o=domains,dc=something,dc=com

So I am able to enter this in my firewall but when i try to establish my VPN connection it fails, I can enter the dn for the whole ldap server (dc=something,dc=com) and authentication works an I am able to establish a vpn connection.

Has anyone else ran into this or know how to make authentication against groups work. The firewall I am using is a fortigate 100D.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: LDAP Authentication on fortigate

I don't know how LDAP authentication works in your firewall, but if it allows you to custom the LDAP filter, you can use existing mail users directly by appending addition ldap filter for querying users.

For example, add addition LDAP attribute/value pair "enabledService=vpn" for existing users (the ones allowed to use VPN service), then set ldap filter like below in your firewall:

(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))

Reference: http://www.iredmail.org/wiki/index.php? … DAP/CentOS

3

Re: LDAP Authentication on fortigate

Thanks for the tip, the exact code you had did not work but that gave me a good starting point. The working solution I came up with was that the group-object-filter needed to be set to (&(objectclass=posixgroup)(memberuid=*)) this along with programing the fortigate to search in the vpn group provided me with the solution i was looking for (to only authenticate users within the vpn group).