Fortinet white logo
Fortinet white logo

CLI Reference

config user ldap

config user ldap

Configure LDAP server entries.

config user ldap
    Description: Configure LDAP server entries.
    edit <name>
        set server {string}
        set secondary-server {string}
        set tertiary-server {string}
        set server-identity-check [enable|disable]
        set source-ip {string}
        set source-port {integer}
        set cnid {string}
        set dn {string}
        set type [simple|anonymous|...]
        set two-factor [disable|fortitoken-cloud]
        set two-factor-authentication [fortitoken|email|...]
        set two-factor-notification [email|sms]
        set two-factor-filter {string}
        set username {string}
        set password {password}
        set group-member-check [user-attr|group-object|...]
        set group-search-base {string}
        set group-object-filter {string}
        set group-filter {string}
        set secure [disable|starttls|...]
        set ssl-max-proto-version [SSLv3|TLSv1|...]
        set ssl-min-proto-version [default|SSLv3|...]
        set ca-cert {string}
        set port {integer}
        set password-expiry-warning [enable|disable]
        set password-renewal [enable|disable]
        set member-attr {string}
        set account-key-processing [same|strip]
        set account-key-upn-san [othername|rfc822name|...]
        set account-key-filter {string}
        set search-type {option1}, {option2}, ...
        set max-connections {integer}
        set client-cert-auth [enable|disable]
        set client-cert {string}
        set obtain-user-info [enable|disable]
        set user-info-exchange-server {string}
        set interface-select-method [auto|specify]
        set interface {string}
        set antiphish [enable|disable]
        set password-attr {string}
    next
end

config user ldap

Parameter

Description

Type

Size

Default

name

LDAP server entry name.

string

Maximum length: 35

server

LDAP server CN domain name or IP.

string

Maximum length: 63

secondary-server

Secondary LDAP server CN domain name or IP.

string

Maximum length: 63

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Maximum length: 63

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

FortiProxy IP address to be used for communication with the LDAP server.

string

Maximum length: 63

source-port

Source port to be used for communication with the LDAP server.

integer

Minimum value: 0 Maximum value: 65535

0

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Maximum length: 20

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Maximum length: 511

type

Authentication type for LDAP searches.

option

-

simple

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

two-factor-filter

Filter used to synchronize users to FortiToken Cloud.

string

Maximum length: 2047

username

Username (full DN) for initial binding.

string

Maximum length: 511

password

Password for initial binding.

password

Not Specified

group-member-check

Group member checking methods.

option

-

user-attr

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-search-base

Search base used for group searching.

string

Maximum length: 511

group-object-filter

Filter used for group searching.

string

Maximum length: 2047

(&(objectcategory=group)(member=*))

group-filter

Filter used for group matching.

string

Maximum length: 2047

secure

Port to be used for authentication.

option

-

disable

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

ssl-max-proto-version

Maximum supported protocol version for SSL/TLS connections.

option

-

TLSv1-3

Option

Description

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

ca-cert

CA certificate name.

string

Maximum length: 79

port

Port to be used for communication with the LDAP server.

integer

Minimum value: 1 Maximum value: 65535

389

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

member-attr

Name of attribute from which to get group membership.

string

Maximum length: 63

memberOf

account-key-processing

Account key processing operation, either keep or strip domain string of UPN in the token.

option

-

same

Option

Description

same

Same as UPN.

strip

Strip domain string from UPN.

account-key-upn-san

Define SAN in certificate for user principle name matching.

option

-

othername

Option

Description

othername

Other name in SAN.

rfc822name

RFC822 Email address in SAN.

dnsname

DNS name in SAN.

account-key-filter

Account key filter, using the UPN as the search filter.

string

Maximum length: 2047

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

search-type

Search type.

option

-

recursive

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

max-connections

Maximum LDAP server connections.

integer

Minimum value: 16 Maximum value: 5000

64

client-cert-auth

Enable/disable using client certificate for TLS authentication.

option

-

disable

Option

Description

enable

Enable using client certificate for TLS authentication.

disable

Disable using client certificate for TLS authentication.

client-cert

Client certificate name.

string

Maximum length: 79

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

antiphish

Enable/disable AntiPhishing credential backend.

option

-

disable

Option

Description

enable

Enable AntiPhishing credential backend.

disable

Disable AntiPhishing credential backend.

password-attr

Name of attribute to get password hash.

string

Maximum length: 35

userPassword

config user ldap

config user ldap

Configure LDAP server entries.

config user ldap
    Description: Configure LDAP server entries.
    edit <name>
        set server {string}
        set secondary-server {string}
        set tertiary-server {string}
        set server-identity-check [enable|disable]
        set source-ip {string}
        set source-port {integer}
        set cnid {string}
        set dn {string}
        set type [simple|anonymous|...]
        set two-factor [disable|fortitoken-cloud]
        set two-factor-authentication [fortitoken|email|...]
        set two-factor-notification [email|sms]
        set two-factor-filter {string}
        set username {string}
        set password {password}
        set group-member-check [user-attr|group-object|...]
        set group-search-base {string}
        set group-object-filter {string}
        set group-filter {string}
        set secure [disable|starttls|...]
        set ssl-max-proto-version [SSLv3|TLSv1|...]
        set ssl-min-proto-version [default|SSLv3|...]
        set ca-cert {string}
        set port {integer}
        set password-expiry-warning [enable|disable]
        set password-renewal [enable|disable]
        set member-attr {string}
        set account-key-processing [same|strip]
        set account-key-upn-san [othername|rfc822name|...]
        set account-key-filter {string}
        set search-type {option1}, {option2}, ...
        set max-connections {integer}
        set client-cert-auth [enable|disable]
        set client-cert {string}
        set obtain-user-info [enable|disable]
        set user-info-exchange-server {string}
        set interface-select-method [auto|specify]
        set interface {string}
        set antiphish [enable|disable]
        set password-attr {string}
    next
end

config user ldap

Parameter

Description

Type

Size

Default

name

LDAP server entry name.

string

Maximum length: 35

server

LDAP server CN domain name or IP.

string

Maximum length: 63

secondary-server

Secondary LDAP server CN domain name or IP.

string

Maximum length: 63

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Maximum length: 63

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

FortiProxy IP address to be used for communication with the LDAP server.

string

Maximum length: 63

source-port

Source port to be used for communication with the LDAP server.

integer

Minimum value: 0 Maximum value: 65535

0

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Maximum length: 20

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Maximum length: 511

type

Authentication type for LDAP searches.

option

-

simple

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

two-factor-filter

Filter used to synchronize users to FortiToken Cloud.

string

Maximum length: 2047

username

Username (full DN) for initial binding.

string

Maximum length: 511

password

Password for initial binding.

password

Not Specified

group-member-check

Group member checking methods.

option

-

user-attr

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-search-base

Search base used for group searching.

string

Maximum length: 511

group-object-filter

Filter used for group searching.

string

Maximum length: 2047

(&(objectcategory=group)(member=*))

group-filter

Filter used for group matching.

string

Maximum length: 2047

secure

Port to be used for authentication.

option

-

disable

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

ssl-max-proto-version

Maximum supported protocol version for SSL/TLS connections.

option

-

TLSv1-3

Option

Description

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

ca-cert

CA certificate name.

string

Maximum length: 79

port

Port to be used for communication with the LDAP server.

integer

Minimum value: 1 Maximum value: 65535

389

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

member-attr

Name of attribute from which to get group membership.

string

Maximum length: 63

memberOf

account-key-processing

Account key processing operation, either keep or strip domain string of UPN in the token.

option

-

same

Option

Description

same

Same as UPN.

strip

Strip domain string from UPN.

account-key-upn-san

Define SAN in certificate for user principle name matching.

option

-

othername

Option

Description

othername

Other name in SAN.

rfc822name

RFC822 Email address in SAN.

dnsname

DNS name in SAN.

account-key-filter

Account key filter, using the UPN as the search filter.

string

Maximum length: 2047

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

search-type

Search type.

option

-

recursive

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

max-connections

Maximum LDAP server connections.

integer

Minimum value: 16 Maximum value: 5000

64

client-cert-auth

Enable/disable using client certificate for TLS authentication.

option

-

disable

Option

Description

enable

Enable using client certificate for TLS authentication.

disable

Disable using client certificate for TLS authentication.

client-cert

Client certificate name.

string

Maximum length: 79

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

antiphish

Enable/disable AntiPhishing credential backend.

option

-

disable

Option

Description

enable

Enable AntiPhishing credential backend.

disable

Disable AntiPhishing credential backend.

password-attr

Name of attribute to get password hash.

string

Maximum length: 35

userPassword