Burekasim · January 31, 2022 08:10
diff --git a/fortigate.txt b/fortigate.txt
 This is a simple guide that explains how to use forticlient with Gsuite LDAP. 
 * Google workspaces LDAP is available for customers with one of the following subscriptions: Business Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus.

 Requirements: 
 1. Google workspaces subscription. 
 2. Fortigate. 
 3. Server for stunnel. 

 Setup instructions: 
 1. Enable Google workspaces LDAP, and download the certificate. more details are available in this guide: https://support.google.com/a/answer/9048434?hl=en
 2. Connect to the server and deploy stunnel according to the "Optional: Use stunnel as a proxy" section in this article: https://support.google.com/a/answer/9089736?hl=en . make sure you block stunnel traffic only to Fortigate.
 3. config fortigate ldap server, you can use the following example:

 config user ldap
    edit "google"
        # server ip (stunnel)
        set server "xxx.xxx.xxx.xxx"
        # stunnel service port
        set port 636
        # cnid can be "uid" if you want to login with the user ([email protected]) or "mail" if you want connect with the entire email address. more options available in this article: https://support.google.com/cloudidentity/answer/9188164?hl=en
        set cnid "mail"
        # LDAP distinguished name, to allow all the users in igal.co.il domain to login, we will use the following example, if we want to allow only certian group of users to login, we can use the ldap schema in this url: https://support.google.com/cloudidentity/answer/9188164?hl=en
        set dn "ou=Users,dc=igal,dc=co,dc=il"
        set type regular
        # ldap user for authentication
        set username "[email protected]"
        # ldap user password
        set password ThisIsASamplePassword
    next
 end

 The next step is to create a user:
 config user local
    edit "[email protected]"
        set type ldap
        set ldap-server "google"
    next
 end

 That's it. pretty simple. if you want to enforce 2FA, you will need to configure that in fortigate level (FortiToken/EMail/SMS).
	This is a simple guide that explains how to use forticlient with Gsuite LDAP.
	* Google workspaces LDAP is available for customers with one of the following subscriptions: Business Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus.

	Requirements:
	1. Google workspaces subscription.
	2. Fortigate.
	3. Server for stunnel.

	Setup instructions:
	1. Enable Google workspaces LDAP, and download the certificate. more details are available in this guide: https://support.google.com/a/answer/9048434?hl=en
	2. Connect to the server and deploy stunnel according to the "Optional: Use stunnel as a proxy" section in this article: https://support.google.com/a/answer/9089736?hl=en . make sure you block stunnel traffic only to Fortigate.
	3. config fortigate ldap server, you can use the following example:

	config user ldap
	edit "google"
	# server ip (stunnel)
	set server "xxx.xxx.xxx.xxx"
	# stunnel service port
	set port 636
	# cnid can be "uid" if you want to login with the user ([email protected]) or "mail" if you want connect with the entire email address. more options available in this article: https://support.google.com/cloudidentity/answer/9188164?hl=en
	set cnid "mail"
	# LDAP distinguished name, to allow all the users in igal.co.il domain to login, we will use the following example, if we want to allow only certian group of users to login, we can use the ldap schema in this url: https://support.google.com/cloudidentity/answer/9188164?hl=en
	set dn "ou=Users,dc=igal,dc=co,dc=il"
	set type regular
	# ldap user for authentication
	set username "[email protected]"
	# ldap user password
	set password ThisIsASamplePassword
	next
	end

	The next step is to create a user:
	config user local
	edit "[email protected]"
	set type ldap
	set ldap-server "google"
	next
	end

	That's it. pretty simple. if you want to enforce 2FA, you will need to configure that in fortigate level (FortiToken/EMail/SMS).