Introduction

The purpose of this guide is to assist in verifying and testing LDAP settings that are used in the Fortinet Security Awareness and Training Service. It is provided without warranty.

Downloading Softerra LDAP Browser

You can download a free copy of Softerra LDAP Browser from this link: https://www.ldapadministrator.com/download.htm#browser

Installing Softerra LDAP Browser

Double click the executable and follow the prompts, accepting all defaults.

Allowing the Fortinet Security Awareness and Training Service to Access your LDAP Server

Before running any tests, the first step is to create firewall rules to allow traffic from the Fortinet Security Awareness and Training Service to access your LDAP Directory over the configured ports. You will need to get your security team to create the rule(s).

A rule will need to be created to allow traffic from the following IP addresses over whichever port your LDAP Server is listening on. The default registered ports are:

LDAP: port 389

LDAPS: port 636

If you LDAP Directory listens on a different, non-standard port, then the firewall rule will need to specify that port.

If the rule is not configured correctly, you will receive errors. To test the firewall rule, you will need to run your connection tests from a location on the public side of the firewall (i.e. from the internet) and not from the internal network. We will cover the testing while creating the profile.

Creating a Profile

Launch Softerra LDAP Browser

1)  From the Menu, select the New dropdown menu in the upper left corner and select New Profile…

The Profile Creation Wizard window will appear:

2)  Deselect the Connect to the server right after the profile has been created check box.

3)  Give your Profile Name a meaningful value (e.g. the name of the LDAP server you are connecting to) and select the Next > button.

4)  If your LDAP Directory supports and is configured to communicate using LDAPS protocol, then select the User secure connection (SSL) check box in the Security Options section. If your LDAP Directory is configured to communicate over LDAP, then leave the box unchecked:

If you select the User secure connection (SSL) checkbox, the Port: value will change to 636 (this is the registered default port for LDAPS communications.

5)  Enter either the public / global FQDN or IP address into the Host field.

6)  Click the Fetch Base DNs button to retrieve the correct default search base.

7)  Select the Next > button.

8)  Select the Other credentials option button and set the Mechanism drop down to the appropriate value (usually Simple, but you can select the Fetch Supported button to see supported methods):

9)  In the Principal field, enter the username of the account that will be used to connect to the LDAP Directory with read-only access (Example: cn=User,ou=People,o=Company).

10)  Enter the Password for the user specified in step 9.

11)  Select the Save password checkbox to save this password for future logins.

12)  Click the Finish button.

You should now be able to successfully browse your LDAP Directory. If you get errors, then check the error presented. It could be that:

• The server and port you entered is incorrect.
  1. An error has occurred while loading the RootDSE entry from 216.171.94.145:636. The default schema entry could not be loaded due to inability to access the RootDSE entry. Further processing will be aborted. Try changing your credentials or the server side access control list (ACL).
• The firewall rule has not been created, or, has not been created correctly.
  1. An error has occurred while loading the RootDSE entry from 216.171.94.145:636. The default schema entry could not be loaded due to inability to access the RootDSE entry. Further processing will be aborted. Try changing your credentials or the server side access control list (ACL).
• The username and password you entered are incorrect.
  1. The operation being requested was not performed because the user has not been authenticated. In order to perform this operation a successful bind must be completed on the connection.

Creating and testing an accurate LDAP filter

To ensure you do not load too many users or the incorrect users into the system, the Fortinet Security Awareness and Training Service deployment team recommends testing your LDAP filter to ensure the anticipated number (and correct) users are returned. These will be the users who are loaded into the system. You must ensure that you do not go over your license limit or you will need to delete your configuration in the SATS service, wait for the users who were incorrectly synced to be suspended and the user seat count returned to be below your license threshold.

Once you have verified you can connect to the LDAP server, ensure you are on the default search base of your choosing (one high enough in the DIT structure to be able to filter all applicable users for import).

Sample LDAP filter

(&(objectClass=user)(memberOf=<DN of Distribution Group>)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

The above LDAP filter contains the following logic:

Entries must have the object class user associated with their entry -AND- they must belong to the distribution group DN entered -AND-user account must NOT be deactivated/disabled.

Verifying and Testing your LDAP filter using Softerra

After successfully connecting to your Directory through your firewall and retrieving users, you should verify that your LDAP filter is well formed and returns only the desired users.

Verifying your LDAP Filter:

1)  From the toolbar, select the Directory Search icon:

The Directory Search Window appears:

2)  Verify that your Search DN value is accurate (matches what you will enter in the LDAP configuration to harvest and synch users.

3)  Enter the Filter you would like to test and click the Launch Filter Builder button to verify the logic in your Filter:

If your filter is correctly formatted, you can verify the logic, or, if you receive an error message, you must correct the issue in your filter:

4)  Select the Cancel button to return to the Directory Search window.

Testing your LDAP filter:

1. Click the Filter field to place the cursor at the end of the Filter value, then click the <Enter> key to verify the accuracy of the number of entries returned. Also verify the expected results are returned based on your filter: