Fortinet black logo

CLI reference

Home FortiNDR 7.0.3 CLI reference
7.0.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

config profile ldap

config profile ldap

Use this command to configure LDAP profiles which can query LDAP servers for authentication.

Tooltip

Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server.

Each LDAP profile contains queries that retrieve configuration data from an LDAP server, such as user groups.

Syntax

config profile ldap
    edit <profile_name>
        set auth-bind-dn {cnid | none | searchuser | upn}
        set authstate {enable | disable}
        set base-dn <basedn_str>
        set bind-dn <binddn_str>
        set bind-password <bindpw_str>
        set cache-state {enable | disable}
        set cache-ttl <ttl_int>
        set cnid-name <cnid_str>
        set dereferencing {never | always | search | find}
        set fallback-port <port_int>
        set fallback-server {<fqdn_str> | <server_ipv4>}
        set port <port_int>
        set query <query_str>
        set scope {base | one | sub}
        set secure {none | ssl}
        set server <name_str>
        set timeout <timeout_int>
        set unauth-bind {enable | disable}
        set upn-suffix <upns_str>
        set version {ver2 | ver3}
    end

Variable

Description

Default

<profile_name>

Name of the LDAP profile.

auth-bind-dn {cnid | none | searchuser | upn}

none: Do not define a user authentication query.

cnid: Name of the user objects’ common name attribute, such as cn or uid.

searchuser: Form the user’s bind DN (distinguished name) by using the DN retrieved for that user.

upn: Form the user’s bind DN by prepending the user name portion of the email address ($u) to the user principal name (UPN such as example.com). By default, FortiAI uses the mail domain as the UPN. To use a UPN other than the mail domain, also configure upn-suffix <upns_str>.

searchuser

authstate {enable | disable}

Enable to perform user authentication queries.

disable

base-dn <basedn_str>

The DN of the part of the LDAP directory tree where FortiAI searches for user objects, such as ou=People,dc=example,dc=com.

User objects must be child nodes of this location.

bind-dn <binddn_str>

The bind DN of an LDAP user account with permissions to query the basedn, such as cn=FortiAI,dc=example,dc=com.

This command is optional if your LDAP server does not require FortiAI to authenticate when performing queries and you have enabled unauth-bind.

bind-password <bindpw_str>

The password of bind-dn.

cache-state {enable | disable}

Enable to cache LDAP query results.

Caching LDAP queries can reduce LDAP network traffic when there are frequent queries for information that does not change. However, caching might cause a delay from the time you update LDAP directory information and when FortiAI begins using that new information.

If you enable this option but queries are not cached, check the TTL value. A TTL value of 0 effectively disables caching.

disable

cache-ttl <ttl_int>

The amount of time, in minutes, that FortiAI caches query results. After the time has elapsed, cached results expire and subsequent requests for that information requires FortiAI to query the LDAP server and refresh the cache.

The default TTL value is 1440 minutes (one day). The maximum is 10080 minutes (one week). A value of 0 effectively disables caching.

1440

cnid-name <cnid_str>

Name of the user objects’ common name attribute, such as cn or uid.

dereferencing {never | always | search | find}

Method of de-referencing attributes whose values are references.

never: Do not de-reference.

always: Always de-reference.

search: De-reference only when searching.

find: De-reference only when finding the base search object.

never

fallback-port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port, enter the TCP port number.

The standard port for LDAP is 389. The standard port for SSL-secured LDAP is 636.

If secure is set to ssl, FortiNDR uses SSL-secured LDAP to connect to the server.

389

fallback-server {<fqdn_str> | <server_ipv4>}

The FQDN or IP address of the backup LDAP server.

If there is no fallback server, enter an empty string ('').

port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port, enter the TCP port number.

The standard port for LDAP is 389. The standard port for SSL-secured LDAP is 636.

389

query <query_str>

An LDAP query filter, enclosed in single quotes ('), that selects a set of user objects from the LDAP directory.

The query filter string filters the result set based on attributes common to all user objects and excludes non-user objects. For example, if user objects in your directory have two characteristics, the objectClass and mail attributes, use the query filter:

(& (objectClass=inetOrgPerson) (mail=$m))

where $m is the FortiAI variable for a user's email address.

This command applies to user defined schema only.

For details on query syntax, see any standard LDAP query filter reference manual.

(& (objectClass= inetOrgPerson) (mail=$m))

scope {base | one | sub}

The level of depth to query:

base: Query the basedn level.

one: Query only one level below the basedn in the LDAP directory tree.

sub: Query recursively all levels below the basedn in the LDAP directory tree.

sub

secure {none | ssl}

Whether to connect to LDAP servers using an encrypted connection:

none: Use a non-secure connection.

ssl: Use an SSL-secured (LDAPS) connection.

none

server <name_str>

The FQDN or IP address of the LDAP server.

timeout <timeout_int>

The maximum length of time in seconds that FortiAI waits for query responses from the LDAP server.

10

unauth-bind {enable | disable}

Enable to perform queries in this profile without supplying a bind DN and password for the directory search.

Many LDAP servers require LDAP queries to be authenticated using a bind DN and password. If your LDAP server does not require FortiAI to authenticate before performing queries, you might enable this option.

If this option is disabled, you must configure bind-dn and bind-password.

disable

upn-suffix <upns_str>

If you want to use a UPN other than the mail domain, enter that UPN. This is useful if users authenticate with a domain other than the mail server’s principal domain name.

version {ver2 | ver3}

The protocol version used to communicate with the LDAP server.

ver3

Previous
Next

config profile ldap

Use this command to configure LDAP profiles which can query LDAP servers for authentication.

Tooltip

Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server.

Each LDAP profile contains queries that retrieve configuration data from an LDAP server, such as user groups.

Syntax

config profile ldap
    edit <profile_name>
        set auth-bind-dn {cnid | none | searchuser | upn}
        set authstate {enable | disable}
        set base-dn <basedn_str>
        set bind-dn <binddn_str>
        set bind-password <bindpw_str>
        set cache-state {enable | disable}
        set cache-ttl <ttl_int>
        set cnid-name <cnid_str>
        set dereferencing {never | always | search | find}
        set fallback-port <port_int>
        set fallback-server {<fqdn_str> | <server_ipv4>}
        set port <port_int>
        set query <query_str>
        set scope {base | one | sub}
        set secure {none | ssl}
        set server <name_str>
        set timeout <timeout_int>
        set unauth-bind {enable | disable}
        set upn-suffix <upns_str>
        set version {ver2 | ver3}
    end

Variable

Description

Default

<profile_name>

Name of the LDAP profile.

auth-bind-dn {cnid | none | searchuser | upn}

none: Do not define a user authentication query.

cnid: Name of the user objects’ common name attribute, such as cn or uid.

searchuser: Form the user’s bind DN (distinguished name) by using the DN retrieved for that user.

upn: Form the user’s bind DN by prepending the user name portion of the email address ($u) to the user principal name (UPN such as example.com). By default, FortiAI uses the mail domain as the UPN. To use a UPN other than the mail domain, also configure upn-suffix <upns_str>.

searchuser

authstate {enable | disable}

Enable to perform user authentication queries.

disable

base-dn <basedn_str>

The DN of the part of the LDAP directory tree where FortiAI searches for user objects, such as ou=People,dc=example,dc=com.

User objects must be child nodes of this location.

bind-dn <binddn_str>

The bind DN of an LDAP user account with permissions to query the basedn, such as cn=FortiAI,dc=example,dc=com.

This command is optional if your LDAP server does not require FortiAI to authenticate when performing queries and you have enabled unauth-bind.

bind-password <bindpw_str>

The password of bind-dn.

cache-state {enable | disable}

Enable to cache LDAP query results.

Caching LDAP queries can reduce LDAP network traffic when there are frequent queries for information that does not change. However, caching might cause a delay from the time you update LDAP directory information and when FortiAI begins using that new information.

If you enable this option but queries are not cached, check the TTL value. A TTL value of 0 effectively disables caching.

disable

cache-ttl <ttl_int>

The amount of time, in minutes, that FortiAI caches query results. After the time has elapsed, cached results expire and subsequent requests for that information requires FortiAI to query the LDAP server and refresh the cache.

The default TTL value is 1440 minutes (one day). The maximum is 10080 minutes (one week). A value of 0 effectively disables caching.

1440

cnid-name <cnid_str>

Name of the user objects’ common name attribute, such as cn or uid.

dereferencing {never | always | search | find}

Method of de-referencing attributes whose values are references.

never: Do not de-reference.

always: Always de-reference.

search: De-reference only when searching.

find: De-reference only when finding the base search object.

never

fallback-port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port, enter the TCP port number.

The standard port for LDAP is 389. The standard port for SSL-secured LDAP is 636.

If secure is set to ssl, FortiNDR uses SSL-secured LDAP to connect to the server.

389

fallback-server {<fqdn_str> | <server_ipv4>}

The FQDN or IP address of the backup LDAP server.

If there is no fallback server, enter an empty string ('').

port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port, enter the TCP port number.

The standard port for LDAP is 389. The standard port for SSL-secured LDAP is 636.

389

query <query_str>

An LDAP query filter, enclosed in single quotes ('), that selects a set of user objects from the LDAP directory.

The query filter string filters the result set based on attributes common to all user objects and excludes non-user objects. For example, if user objects in your directory have two characteristics, the objectClass and mail attributes, use the query filter:

(& (objectClass=inetOrgPerson) (mail=$m))

where $m is the FortiAI variable for a user's email address.

This command applies to user defined schema only.

For details on query syntax, see any standard LDAP query filter reference manual.

(& (objectClass= inetOrgPerson) (mail=$m))

scope {base | one | sub}

The level of depth to query:

base: Query the basedn level.

one: Query only one level below the basedn in the LDAP directory tree.

sub: Query recursively all levels below the basedn in the LDAP directory tree.

sub

secure {none | ssl}

Whether to connect to LDAP servers using an encrypted connection:

none: Use a non-secure connection.

ssl: Use an SSL-secured (LDAPS) connection.

none

server <name_str>

The FQDN or IP address of the LDAP server.

timeout <timeout_int>

The maximum length of time in seconds that FortiAI waits for query responses from the LDAP server.

10

unauth-bind {enable | disable}

Enable to perform queries in this profile without supplying a bind DN and password for the directory search.

Many LDAP servers require LDAP queries to be authenticated using a bind DN and password. If your LDAP server does not require FortiAI to authenticate before performing queries, you might enable this option.

If this option is disabled, you must configure bind-dn and bind-password.

disable

upn-suffix <upns_str>

If you want to use a UPN other than the mail domain, enter that UPN. This is useful if users authenticate with a domain other than the mail server’s principal domain name.

version {ver2 | ver3}

The protocol version used to communicate with the LDAP server.

ver3

Previous
Next