fortigate
我用fortigate800 ,想从ldap 或者windows ad 取用户认证信息, 无法成功.. 知道操作的 兄弟 指点一下..谢谢 抓你设置图出来,看看是不是LDAP设定错了 学业不精。。。跟进此贴 已经搞定... 如何搞定的呢?楼主分享一下。 请参考以下文件 [font=Times New Roman][b][size=14pt]Fortigate LDAP Server configuration examples, for use with Microsoft Active Directory [/size][/b][size=14pt][/size][/font][font=Times New Roman][size=3]The examples below illustrate various ways to configure the Fortigate’s LDAP Server settings, and how they relate to Microsoft’s Active Directory (Windows Server 2000 or 2003) implementation.
The Fortigate’s LDAP Server configuration can be used to authenticate users via HTTP, FTP or Telnet prior to accessing a resource or can be used with VPN authentication. [/size][/font]
[font=Times New Roman][size=3]If
the FortiGate’s “Common Name Identifier” is left to default of “cn”, then the (Windows Server) user’s ‘Full Name’ must be used to authenticate.
The FortiGate’s
“Distinguished Name” field must also point to the correct level within Active Directory.
This restricts authentication of users within an Active Directory structure, based on their position within AD. [/size][/font]
[align=center][align=center][color=windowtext][font=Times New Roman][size=3][/size][/font][/color][/align][/align][font=Times New Roman][size=3]A Windows Server 2003 “dsquery” command example output, which can be used to determine the correct ‘Distinguished Name’ setting to use on a Fortigate for any particular user: [/size][/font]
[size=9pt][font=Times New Roman]C:\ >dsquery user
"CN=Administrator,CN=Users,DC=deka,DC=com"
"CN=Guest,CN=Users,DC=deka,DC=com"
[/font][/size]
[font=Times New Roman][b][size=9pt]"CN=user-one,OU=support,DC=deka,DC=com"
[/size][/b][size=9pt][/size][/font]
[size=9pt][font=Times New Roman]"CN=user2,OU=emea,OU=sales,DC=deka,DC=com"
"CN=user3,OU=sales,DC=deka,DC=com"
[/font][/size]
[color=black][size=3][font=Times New Roman]Example shown below is with the Fortigate’s HTTP web authentication feature: [/font][/size][/color]
[font=Times New Roman][size=3][/size][/font]
[color=black][size=3][font=Times New Roman]If the Fortigate’s “Common Name Identifier” and “Distinguished Name” fields are left blank, then the (Windows Server) ‘UPN’ (Universal Principal Name) OR ‘Display Name’ information can be used to authenticate.
This method allows all users defined in an Active Directory to be authenticated, regardless of their position within the AD structure. [/font][/size][/color]
[font=Times New Roman][size=3][/size][/font]
[align=center][align=center][font=Times New Roman][size=3][/size][/font][/align][/align][align=center][align=center][size=3][font=Times New Roman][b][color=black]Example 1: [/color][/b][color=black][/color][/font][/size][/align][/align][align=center][align=center][font=Times New Roman][size=3][/size][/font][/align][/align][align=center][align=center][size=3][font=Times New Roman][b][color=black]Example 2: [/color][/b][color=black][/color][/font][/size][/align][/align][align=center][align=center][font=Times New Roman][size=3][/size][/font][/align][/align][font=Times New Roman][color=black][size=3]The following Fortigate debug command ‘[/size][/color][size=9pt]diag deb appl authd 99[/size][size=9pt]’[/size]
[color=black][size=3]can be activated on the Fortigate to assist in troubleshooting.
Examples are provided below: [/size][/color][/font]
[size=9pt][font=Times New Roman]Fortigate-100 # diag deb appl authd 99
[/font][/size]
[size=9pt][font=Times New Roman]Fortigate-100 # diag deb en
[/font][/size]
[size=9pt][font=Times New Roman]fam_authenticate(): 3 user3 pass3
host=10.100.1.2 port=389
ldap_simple_bind_s(): dn=cn=user3,OU=sales,DC=deka,DC=com pw=pass3
Bind succ
Authentication of user user3 on 10.100.1.2 was successful!
[/font][/size]
[size=9pt][font=Times New Roman]Fortigate-100 # message_loop:258 misc=0, domain_info=4, grp_info=0 cerb_info=0, vf=0
fam_authenticate(): 3 user3 pass3
host=10.100.1.2 port=389
ldap_simple_bind_s(): dn=user3 pw=pass3
Bind succ
Authentication of user user3 on 10.100.1.2 was successful!
[/font][/size]
[size=9pt][font=Times New Roman]Fortigate-100 # fam_authenticate(): 3 [email]user1@deka.com[/email] pass1
host=10.100.1.2 port=389
ldap_simple_bind_s(): dn=user1@deka.com pw=pass1
Bind succ
Authentication of user [email]user1@deka.com[/email] on 10.100.1.2 was successful!
[/font][/size]
[size=9pt][font=Times New Roman]message_loop:258 misc=0, domain_info=4, grp_info=0 cerb_info=0, vf=0
fam_authenticate(): 3 user1 pass1
host=10.100.1.2 port=389
ldap_simple_bind_s(): dn=user1 pw=pass1
User:user1 Radius or LDAP authentication failed!
[/font][/size]
[size=9pt][font=Times New Roman]Fortigate-100 # fam_authenticate(): 3 First Last pass1
host=10.100.1.2 port=389
ldap_simple_bind_s(): dn=First Last pw=pass1
Bind succ
Authentication of user First Last on 10.100.1.2 was successful!
[/font][/size]
[size=9pt][font=Times New Roman]Fortigate-100 login: message_loop:258 misc=0, domain_info=4, grp_info=0 cerb_info=0, vf=0
fam_authenticate(): 3 user-one pass1
host=10.100.1.2 port=389
ldap_simple_bind_s(): dn=user-one pw=pass1
User:user-one Radius or LDAP authentication failed!
[/font][/size]
[size=9pt][font=Times New Roman]Fortigate-100 login: fam_authenticate(): 3 user-one pass1
host=10.100.1.2 port=389
ldap_simple_bind_s(): dn=cn=user-one,OU=support,DC=deka,DC=com pw=pass1
Bind succ
Authentication of user user-one on 10.100.1.2 was successful!
[/font][/size]
[color=black][size=3][font=Times New Roman]See also: [/font][/size][/color]
[u][url=http://kc.forticare.com/default.asp?id=432&Lang=1][font=Times New Roman][size=3][color=#0000ff]http://kc.forticare.com/default.asp?id=432&Lang=1 [/color][/size][/font][/url][url=http://kc.forticare.com/default.asp?id=592&Lang=1][font=Times New Roman][size=3][color=#0000ff]http://kc.forticare.com/default.asp?id=592&Lang=1 [/color][/size][/font][/url][/u]
页:
[1]