config user ldap
Configure LDAP server entries.
config user ldap Description: Configure LDAP server entries. edit <name> set server {string} set secondary-server {string} set tertiary-server {string} set server-identity-check [enable|disable] set source-ip {string} set source-port {integer} set cnid {string} set dn {string} set type [simple|anonymous|...] set two-factor [disable|fortitoken-cloud] set two-factor-authentication [fortitoken|email|...] set two-factor-notification [email|sms] set username {string} set password {password} set group-member-check [user-attr|group-object|...] set group-search-base {string} set group-object-filter {string} set group-filter {string} set secure [disable|starttls|...] set ssl-min-proto-version [default|SSLv3|...] set ca-cert {string} set port {integer} set password-expiry-warning [enable|disable] set password-renewal [enable|disable] set member-attr {string} set account-key-processing [same|strip] set account-key-filter {string} set search-type {option1}, {option2}, ... set max-connections {integer} set obtain-user-info [enable|disable] set user-info-exchange-server {string} set interface-select-method [auto|sdwan|...] set interface {string} set antiphish [enable|disable] set password-attr {string} next end
config user ldap
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
name |
LDAP server entry name. |
string |
Maximum length: 35 |
|
||||||||||||
server |
LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||
secondary-server |
Secondary LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||
tertiary-server |
Tertiary LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||
server-identity-check |
Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate). |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
source-ip |
FortiProxy IP address to be used for communication with the LDAP server. |
string |
Maximum length: 63 |
|
||||||||||||
source-port |
Source port to be used for communication with the LDAP server. |
integer |
Minimum value: 0 Maximum value: 65535 |
0 |
||||||||||||
cnid |
Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". |
string |
Maximum length: 20 |
cn |
||||||||||||
dn |
Distinguished name used to look up entries on the LDAP server. |
string |
Maximum length: 511 |
|
||||||||||||
type |
Authentication type for LDAP searches. |
option |
- |
simple |
||||||||||||
|
|
|||||||||||||||
two-factor |
Enable/disable two-factor authentication. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
two-factor-authentication |
Authentication method by FortiToken Cloud. |
option |
- |
|
||||||||||||
|
|
|||||||||||||||
two-factor-notification |
Notification method for user activation by FortiToken Cloud. |
option |
- |
|
||||||||||||
|
|
|||||||||||||||
username |
Username (full DN) for initial binding. |
string |
Maximum length: 511 |
|
||||||||||||
password |
Password for initial binding. |
password |
Not Specified |
|
||||||||||||
group-member-check |
Group member checking methods. |
option |
- |
user-attr |
||||||||||||
|
|
|||||||||||||||
group-search-base |
Search base used for group searching. |
string |
Maximum length: 511 |
|
||||||||||||
group-object-filter |
Filter used for group searching. |
string |
Maximum length: 2047 |
(&(objectcategory=group)(member=*)) |
||||||||||||
group-filter |
Filter used for group matching. |
string |
Maximum length: 2047 |
|
||||||||||||
secure |
Port to be used for authentication. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
ssl-min-proto-version |
Minimum supported protocol version for SSL/TLS connections. |
option |
- |
default |
||||||||||||
|
|
|||||||||||||||
ca-cert |
CA certificate name. |
string |
Maximum length: 79 |
|
||||||||||||
port |
Port to be used for communication with the LDAP server. |
integer |
Minimum value: 1 Maximum value: 65535 |
389 |
||||||||||||
password-expiry-warning |
Enable/disable password expiry warnings. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
password-renewal |
Enable/disable online password renewal. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
member-attr |
Name of attribute from which to get group membership. |
string |
Maximum length: 63 |
memberOf |
||||||||||||
account-key-processing |
Account key processing operation, either keep or strip domain string of UPN in the token. |
option |
- |
same |
||||||||||||
|
|
|||||||||||||||
account-key-filter |
Account key filter, using the UPN as the search filter. |
string |
Maximum length: 2047 |
(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
||||||||||||
search-type |
Search type. |
option |
- |
recursive |
||||||||||||
|
|
|||||||||||||||
max-connections |
Maximum LDAP server connections. |
integer |
Minimum value: 16 Maximum value: 5000 |
64 |
||||||||||||
obtain-user-info |
Enable/disable obtaining of user information. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
user-info-exchange-server |
MS Exchange server from which to fetch user information. |
string |
Maximum length: 35 |
|
||||||||||||
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||||||
|
|
|||||||||||||||
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||||||
antiphish |
Enable/disable AntiPhishing credential backend. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
password-attr |
Name of attribute to get password hash. |
string |
Maximum length: 35 |
userPassword |