Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • REST API Solution Guide

    Home FortiAuthenticator 6.3.0 REST API Solution Guide
    6.3.0
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0

    LDAP users (/ldapusers/)

    LDAP users (/ldapusers/)

    URL: https://[server_name]/api/[api_version]/ldapusers/

    This endpoint represents imported remote LDAP user resource. This can be found in the FortiAuthenticator GUI under Authentication > Remote Auth. Servers > LDAP.

    Supported fields

    Field Display name Type Required Other restrictions
    username Username string Yes Read-only
    dn Distinguished name string Yes Read-only
    server_name Server name string No Read-only
    server_address Server address string No Read-only
    email E-mail address string No Must be a valid e-mail address
    first_name First name string No max length = 30
    last_name Last name string No max length = 30
    active Account Status boolean No

    reason

    Disable reason

    interger

    No

    Default is 0. One of 0 (manually disabled), 1 (account inactivity), 2 (too many failed attempts), 3 (account expiry), 4 (password expiry), 5 (FTM activation expiry), 6 (revoked token), 7 (usage limit exceeded), or 8 (pending administrator approval).
    mobile_number Mobile number string No max length = 25, must follow international number format: +[country_code]-[number]
    token_auth Token Auth boolean No Whether second factor authentication should be enabled. If true, token_type is required.
    token_type Token Type string No One of ftk, ftm, ftc, email, sms, or dual. If email is chosen, email is required. If SMS is chosen, mobile_number is required.
    token_serial Token Serial string No If token_type is ftm, or ftk, and this is not present or blank, the next available token will be assigned.
    ftm_act_method FTM Activation Delivery Method string No One of email or sms. If email is chosen, email is required. If SMS is chosen, mobile_number is required. Both are required if dual is selected.
    password Password string No max length = 50
    recovery_by_question Allow password recovery with security question boolean No
    recovery_question Password recovery security question string No Required if recovery_by_question is set to true.
    recovery_answer Password recovery security answer string No Required if recovery_by_question is set to true.

    Allowed methods

    HTTP method Resource URI Action
    GET /api/v1/ldapusers/ Get all non-admin LDAP users.
    GET /api/v1/ldapusers/[id]/ Get a specific non-admin LDAP user.
    POST /api/v1/ldapusers/[id]/sendoobtoken/ Send an out-of-band token code (email/SMS token) to an LDAP user.
    POST /api/v1/ldapusers/[id]/verifyrecoveryanswer/ Verify the recovery answer for a specific LDAP user. Note: recovery_answer must be included.
    PATCH /api/v1/ldapusers/[id]/ Update specified fields for a specific LDAP user with ID.

    DELETE

    /api/v1/ldapusers/[id]/

    Delete an LDAP user.

    Allowed filters

    Field Lookup expressions Values
    username exact, iexact, contains, icontains, in
    dn exact, iexact, contains, icontains
    first_name exact, iexact, contains, icontains, in
    last_name exact, iexact, contains, icontains, in
    email exact, iexact, contains, icontains, in
    active exact
    server_name exact, iexact, contains, icontains
    server_address exact, iexact, contains, icontains
    token_type ftk, ftm, ftc, email, sms
    token_serial exact, iexact

    Third-party integration: FTM provisioning

    For integration with a third-party authentication server which needs to manage token validation, it is possible for the FortiAuthenticator to return FTM seed during provisioning. However, certain conditions must be met:

    • Seed may only be returned when provisioning an FTM to an existing user via PATCH method.
    • A GET URL parameter (returnseed=1) needs to be specified to explicitly tell FortiAuthenticator to return an encrypted seed for the token (e.g. https://[server_name]/api/v1/ldapusers/2/?returnseed=1).
    • A seed encryption passphrase must be specified in FortiGuard settings.

    The seed is encrypted and returned as a PSKC XML file string according to RFC 6030. The key is derived from the configured passphrase using the PBKDF2 key derivation function (32 byte key length, 1000 iterations), encrypted with AES 256 CBC encryption, and signed with a SHA256 HMAC.

    Whenever an FTM is provisioned, its activation code will be returned as well.

    Previous
    Next

    LDAP users (/ldapusers/)

    LDAP users (/ldapusers/)

    URL: https://[server_name]/api/[api_version]/ldapusers/

    This endpoint represents imported remote LDAP user resource. This can be found in the FortiAuthenticator GUI under Authentication > Remote Auth. Servers > LDAP.

    Supported fields

    Field Display name Type Required Other restrictions
    username Username string Yes Read-only
    dn Distinguished name string Yes Read-only
    server_name Server name string No Read-only
    server_address Server address string No Read-only
    email E-mail address string No Must be a valid e-mail address
    first_name First name string No max length = 30
    last_name Last name string No max length = 30
    active Account Status boolean No

    reason

    Disable reason

    interger

    No

    Default is 0. One of 0 (manually disabled), 1 (account inactivity), 2 (too many failed attempts), 3 (account expiry), 4 (password expiry), 5 (FTM activation expiry), 6 (revoked token), 7 (usage limit exceeded), or 8 (pending administrator approval).
    mobile_number Mobile number string No max length = 25, must follow international number format: +[country_code]-[number]
    token_auth Token Auth boolean No Whether second factor authentication should be enabled. If true, token_type is required.
    token_type Token Type string No One of ftk, ftm, ftc, email, sms, or dual. If email is chosen, email is required. If SMS is chosen, mobile_number is required.
    token_serial Token Serial string No If token_type is ftm, or ftk, and this is not present or blank, the next available token will be assigned.
    ftm_act_method FTM Activation Delivery Method string No One of email or sms. If email is chosen, email is required. If SMS is chosen, mobile_number is required. Both are required if dual is selected.
    password Password string No max length = 50
    recovery_by_question Allow password recovery with security question boolean No
    recovery_question Password recovery security question string No Required if recovery_by_question is set to true.
    recovery_answer Password recovery security answer string No Required if recovery_by_question is set to true.

    Allowed methods

    HTTP method Resource URI Action
    GET /api/v1/ldapusers/ Get all non-admin LDAP users.
    GET /api/v1/ldapusers/[id]/ Get a specific non-admin LDAP user.
    POST /api/v1/ldapusers/[id]/sendoobtoken/ Send an out-of-band token code (email/SMS token) to an LDAP user.
    POST /api/v1/ldapusers/[id]/verifyrecoveryanswer/ Verify the recovery answer for a specific LDAP user. Note: recovery_answer must be included.
    PATCH /api/v1/ldapusers/[id]/ Update specified fields for a specific LDAP user with ID.

    DELETE

    /api/v1/ldapusers/[id]/

    Delete an LDAP user.

    Allowed filters

    Field Lookup expressions Values
    username exact, iexact, contains, icontains, in
    dn exact, iexact, contains, icontains
    first_name exact, iexact, contains, icontains, in
    last_name exact, iexact, contains, icontains, in
    email exact, iexact, contains, icontains, in
    active exact
    server_name exact, iexact, contains, icontains
    server_address exact, iexact, contains, icontains
    token_type ftk, ftm, ftc, email, sms
    token_serial exact, iexact

    Third-party integration: FTM provisioning

    For integration with a third-party authentication server which needs to manage token validation, it is possible for the FortiAuthenticator to return FTM seed during provisioning. However, certain conditions must be met:

    • Seed may only be returned when provisioning an FTM to an existing user via PATCH method.
    • A GET URL parameter (returnseed=1) needs to be specified to explicitly tell FortiAuthenticator to return an encrypted seed for the token (e.g. https://[server_name]/api/v1/ldapusers/2/?returnseed=1).
    • A seed encryption passphrase must be specified in FortiGuard settings.

    The seed is encrypted and returned as a PSKC XML file string according to RFC 6030. The key is derived from the configured passphrase using the PBKDF2 key derivation function (32 byte key length, 1000 iterations), encrypted with AES 256 CBC encryption, and signed with a SHA256 HMAC.

    Whenever an FTM is provisioned, its activation code will be returned as well.

    Previous
    Next