Creating the configuration file

A configuration file is required to sync users from your LDAP directory. It contains details about the FortiDLP Infrastructure and your LDAP server, which enable the LDAP Sync Tool to connect to them.

You must provide this configuration file in YAML format. For ease, we recommend naming the file config.yaml and saving it to the same directory as the LDAP Sync Tool. This will allow you to run commands faster using the default functionality.

Refer to the following tables and example configuration file when creating your configuration file. Required fields and default values are indicated. sync fields are optional and can be used to override the default LDAP filter (&(objectCategory=user)(objectSid=*)), override the default AD attributes detailed in Mapping user attributes, or provide a diff sync configuration.

You can configure the sync tool to perform a full sync or a diff sync:

Full sync: With this sync method, all users are synced to FortiDLP. To enable a full sync, diffsync (contained by sync) must be omitted from the configuration file.
Diff sync: With this sync method, only users that have been modified are synced to FortiDLP. To enable a diff sync, diffsync (contained by sync) must be included in the configuration file.

The indentation in the example configuration file is mandatory. It is recommended that you use an indentation of two spaces per level and not tabs. In the following tables, a field preceded by an asterisk (*) contains nested fields, and the nested fields are listed directly below the containing field.

Also, be mindful of YAML rules for escaping, as described here.

Field Description

apiurl Required. Your FortiDLP Console URL.

apitoken Required. Your FortiDLP API access token.

archivedeleted

The rule to automatically archive directory-deleted users when the directory is synced to FortiDLP.

true: Automatically archives directory-deleted users in FortiDLP when a full sync occurs.
false: Skips automatically archiving directory-deleted users in FortiDLP when a full sync occurs.

Default = false.

Before you enable this rule for the first time — either by using this field or via the command-line flag — you need to initialize the directory by performing a full sync to FortiDLP.

When this field is set to true, no deleted users will be archived in FortiDLP if diffsync is included in the configuration file.

skiptls

The TLS verification method for the FortiDLP API, specified as one of the following:

true: Skips certificate verification of the FortiDLP API.
false: Performs certificate verification of the FortiDLP API.

Default = false.

Skipping certificate verification is not recommended for security reasons.

maxretries

The maximum number of retries that can occur after a failure connecting to the FortiDLP Infrastructure or LDAP server, or syncing users.

Default = 5.

photosync

The photo syncing method for users' profile pictures in the FortiDLP Console, specified as one of the following:

true: Enables photo syncing for users.
false: Disables photo syncing for users.

Default = false.

Field Description

*ldap-config The configuration details for the LDAP directory to download users from.

name Required. Your LDAP directory name. This will be displayed in the command-line output and logs.

*credentials The credentials for your LDAP directory.

addr Required. Your LDAP server's host address.

port Required. Your LDAP server’s port number.

base Required. The Base DN of your LDAP server.

binddn Required. The username configured for LDAP authentication.

bindpassword Required. The password configured for LDAP authentication.

*tlsconfig

The TLS configuration details determining how the connection between the LDAP Sync Tool and your LDAP server is encrypted.

If you do not want to use TLS, omit the tlsconfig section from your configuration file.

method

Required. The TLS encryption method, specified as one of the following:

0: Uses TLS.
1: Uses StartTLS.

On Windows, you should only use TLS with port 636 and StartLTS with port 389.

skipverification

The TLS verification method for your LDAP server, specified as one of the following:

true: Skips certificate verification of your LDAP server.
false: Performs certificate verification of your LDAP server.

Default = false.

Skipping certificate verification is not recommended for security reasons.

rootcabundle The PEM contents of your LDAP server's CA-signed certificate if skipverification is set to false.

*sync The optional configuration details for the LDAP directory to download users from if you do not use the default LDAP filter (&(objectCategory=user)(objectSid=*)) or the AD default attributes described in the previous tables.

searchterm The LDAP filter for importing users.

diffsync

The method for determining directory changes, allowing only updated users to be synced rather than all users. An attribute and a type is required.

attribute: The attribute from your directory that indicates the last update for users. The value for a time-based attribute (e.g. whenChanged) is assumed to always increment and the value for an integer-based attribute (e.g. uSNChanged) is assumed to always increase.
type: The attribute type, specified as one of the following:
- 0: Uses GeneralizedTime syntax, where users are synced if the time of the last update is after the time of the previous sync.
- 1: Uses LargeInteger syntax, where users are synced if the integer is larger than all other integers seen for the attribute across the directory.

*keyfields

The user fields to which attributes are mapped for display in the FortiDLP Console and for identification purposes.

See Field mappings for the list of supported fields and associated descriptions.

*schemes

The schemes to which attributes are mapped for associating events with users.

See Scheme mappings for the list of supported schemes and associated descriptions.

*labelfields

The fields to which attributes are mapped for creating directory labels in the FortiDLP Console. Directory labels are assigned to users and are used to associate users with policy groups and Agent configuration groups.

See Label mappings for the list of supported label fields and associated descriptions.

Configuration file

---
apiurl: <FortiDLP Console URL>
apitoken: <FortiDLP Console API access token>
skiptls: true 
maxretries: 5
photosync: false
archivedeleted: false

ldap-config:
  name: directory
  credentials:
    addr: 192.0.2.108
    port: 636
    base: OU=admin,DC=example,DC=com
    binddn: OU=admin,DC=example,DC=com
    bindpassword: Password123
    tlsconfig: 
      method: 0
      skipverification: false
      rootcabundle: <PEM contents of certificate>
  sync:
    searchterm: (&(objectCategory=user)(objectSid=*))
    diffsync:
      attribute: uSNChanged
      type: 1
    keyfields:
      name: displayName
      email: email
      image: thumbnailPhoto
      title: title
      department: department
      manager: manager
      phonenumbermobile: mobile
      phonenumberoffice: telephoneNumber
      addresshome: homePostalAddress
      addressoffice: physicalDeliveryOfficeName
      schemes:
      - scheme: sid
        attribute: objectSid
      - scheme: unix
        attribute: uidNumber
      - scheme: mail
        attribute: email
    labelfields:
      - key: department
      - key: city
      - key: country
      - key: memberOf
        labelName: Security Group
        match: "^CN=([^,])+,OU=Security Groups"
        transform: "$1"
	 anonymise: false
	 flagged: false