I mentioned yesterday that I recently received a Fortigate 60C firewall. One of the main reasons for getting it, besides the awesome price, was it's ability to do DLP, web filtering and a bunch of other cool tools as a part of their unified threat management. Well yesterday I was playing with web filtering and I found a really interesting feature.
You can limit access to certain websites by user, and those users can be authenticated using active directory over LDAP. The issue I found with the default settings was that it's looking for a CN identifier but I want my users to be able to use their regular username. For instance if your company uses first.last for the username, that's what I want to do.
To do that we first need to configure our LDAP server settings to point to our domain controller, then modify the settings to look for the AD username. To do that:
- Go to User > Remote > LDAP
- Click Create New
- Give it a name
- Enter the IP address of your domain controller
- Leave the Server Port at 389
- Change the Common Name Identifier to sAMAccountName <- AD Username!
- Change the Bind Type to Regular
- Enter the User DN for a domain administrator account (See below)
- Enter the password for your domain administrator account
- Now click the Browse button next to Distinguished Name and browse to the OU where your users are.
- Click OK