config user ldap
Configure LDAP server entries.
config user ldap Description: Configure LDAP server entries. edit <name> set server {string} set secondary-server {string} set tertiary-server {string} set status-ttl {integer} set server-identity-check [enable|disable] set source-ip {string} set source-port {integer} set cnid {string} set dn {string} set type [simple|anonymous|...] set two-factor [disable|fortitoken-cloud] set two-factor-authentication [fortitoken|email|...] set two-factor-notification [email|sms] set two-factor-filter {string} set username {string} set password {password} set group-member-check [user-attr|group-object|...] set group-search-base {string} set group-object-filter {string} set group-filter {string} set secure [disable|starttls|...] set validate-server-certificate [disable|enable] set ssl-max-proto-version [default|SSLv3|...] set ssl-min-proto-version [default|SSLv3|...] set ca-cert {string} set port {integer} set password-expiry-warning [enable|disable] set password-renewal [enable|disable] set member-attr {string} set account-key-processing [same|strip] set account-key-cert-field [othername|rfc822name|...] set account-key-filter {string} set search-type {option1}, {option2}, ... set max-connections {integer} set client-cert-auth [enable|disable] set client-cert {string} set obtain-user-info [enable|disable] set user-info-exchange-server {string} set interface-select-method [auto|specify] set interface {string} set antiphish [enable|disable] set password-attr {string} next end
config user ldap
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
name |
LDAP server entry name. |
string |
Maximum length: 35 |
|
||||||||||||||
server |
LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||||
secondary-server |
Secondary LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||||
tertiary-server |
Tertiary LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||||
status-ttl |
Time for which server reachability is cached so that when a server is unreachable, it will not be retried for at least this period of time. |
integer |
Minimum value: 0 Maximum value: 600 |
300 |
||||||||||||||
server-identity-check |
Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate). |
option |
- |
enable |
||||||||||||||
|
|
|||||||||||||||||
source-ip |
FortiProxy IP address to be used for communication with the LDAP server. |
string |
Maximum length: 63 |
|
||||||||||||||
source-port |
Source port to be used for communication with the LDAP server. |
integer |
Minimum value: 0 Maximum value: 65535 |
0 |
||||||||||||||
cnid |
Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". |
string |
Maximum length: 20 |
cn |
||||||||||||||
dn |
Distinguished name used to look up entries on the LDAP server. |
string |
Maximum length: 511 |
|
||||||||||||||
type |
Authentication type for LDAP searches. |
option |
- |
simple |
||||||||||||||
|
|
|||||||||||||||||
two-factor |
Enable/disable two-factor authentication. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
two-factor-authentication |
Authentication method by FortiToken Cloud. |
option |
- |
|
||||||||||||||
|
|
|||||||||||||||||
two-factor-notification |
Notification method for user activation by FortiToken Cloud. |
option |
- |
|
||||||||||||||
|
|
|||||||||||||||||
two-factor-filter |
Filter used to synchronize users to FortiToken Cloud. |
string |
Maximum length: 2047 |
|
||||||||||||||
username |
Username (full DN) for initial binding. |
string |
Maximum length: 511 |
|
||||||||||||||
password |
Password for initial binding. |
password |
Not Specified |
|
||||||||||||||
group-member-check |
Group member checking methods. |
option |
- |
user-attr |
||||||||||||||
|
|
|||||||||||||||||
group-search-base |
Search base used for group searching. |
string |
Maximum length: 511 |
|
||||||||||||||
group-object-filter |
Filter used for group searching. |
string |
Maximum length: 2047 |
(&(objectcategory=group)(member=*)) |
||||||||||||||
group-filter |
Filter used for group matching. |
string |
Maximum length: 2047 |
|
||||||||||||||
secure |
Port to be used for authentication. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
validate-server-certificate |
Enable/disable icap server certificate validation. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
ssl-max-proto-version |
Maximum supported protocol version for SSL/TLS connections. |
option |
- |
default |
||||||||||||||
|
|
|||||||||||||||||
ssl-min-proto-version |
Minimum supported protocol version for SSL/TLS connections. |
option |
- |
default |
||||||||||||||
|
|
|||||||||||||||||
ca-cert |
CA certificate name. |
string |
Maximum length: 79 |
|
||||||||||||||
port |
Port to be used for communication with the LDAP server. |
integer |
Minimum value: 1 Maximum value: 65535 |
389 |
||||||||||||||
password-expiry-warning |
Enable/disable password expiry warnings. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
password-renewal |
Enable/disable online password renewal. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
member-attr |
Name of attribute from which to get group membership. |
string |
Maximum length: 63 |
memberOf |
||||||||||||||
account-key-processing |
Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity. |
option |
- |
same |
||||||||||||||
|
|
|||||||||||||||||
account-key-cert-field |
Define subject identity field in certificate for user access right checking. |
option |
- |
othername |
||||||||||||||
|
|
|||||||||||||||||
account-key-filter |
Account key filter, using the UPN as the search filter. |
string |
Maximum length: 2047 |
(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
||||||||||||||
search-type |
Search type. |
option |
- |
recursive |
||||||||||||||
|
|
|||||||||||||||||
max-connections |
Maximum LDAP server connections. |
integer |
Minimum value: 16 Maximum value: 5000 |
64 |
||||||||||||||
client-cert-auth |
Enable/disable using client certificate for TLS authentication. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
client-cert |
Client certificate name. |
string |
Maximum length: 79 |
|
||||||||||||||
obtain-user-info |
Enable/disable obtaining of user information. |
option |
- |
enable |
||||||||||||||
|
|
|||||||||||||||||
user-info-exchange-server |
MS Exchange server from which to fetch user information. |
string |
Maximum length: 35 |
|
||||||||||||||
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||||||||
|
|
|||||||||||||||||
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||||||||
antiphish |
Enable/disable AntiPhishing credential backend. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
password-attr |
Name of attribute to get password hash. |
string |
Maximum length: 35 |
userPassword |