Mapping user attributes

The LDAP Sync Tool uses AD default attributes when mapping user details. If preferred, you can alternatively use custom attributes for these mappings.

Fields

The following table describes the user fields to which LDAP attributes are mapped. These fields either display in the FortiDLP Console or are used by FortiDLP for identification.

Field Description

name

The attribute that holds the user's full name.

Default = displayName.

email

The attribute that holds the user's email address.

Default = email.

image

The attribute that holds the user's profile picture.

Default = thumbnailPhoto.

title

The attribute that holds the user's job title.

Default = title.

department

The attribute that holds the user's department.

Default = department.

manager

The attribute that holds the full name of the user's line manager.

Default = manager.

phonenumbermobile

The attribute that holds the user's mobile phone number.

Default = mobile.

phonenumberoffice

The attribute that holds the user's office phone number.

Default = telephoneNumber.

addresshome

The attribute that holds the user's home address.

Default = homePostalAddress.

addressoffice

The attribute that holds the user's office address.

Default = physicalDeliveryOfficeName.

uniqueid

The attribute that generates the user's unique identifier in FortiDLP.

This must be a stable attribute to ensure subsequent syncs do not duplicate the user. For example, the displayName attribute would not be recommended, as a user's name may change due to marriage. This attribute must also have a unique value for the user in your LDAP directory.

Default = objectSid.

Schemes

FortiDLP uses schemes to associate events with each user from your LDAP directory.

The following table describes the supported schemes to which attributes can be mapped.

Scheme Description

username

The attribute that holds the user's username.

No default value.

We recommend that you only use this mapping if device usernames are company managed, as this value could otherwise be modified by a user to impersonate a different user.

machinename

The attribute that holds the hostname of the user's machine.

No default value.

We recommend that you only use this mapping if device hostnames are company managed, as this value could otherwise be modified by a user to impersonate a different user.

sid

The attribute that holds the user's Windows Security Identifier (SID).

Default = objectSid.

unix

The attribute that holds the user's Unix UID.

Default = uidNumber.

mail

The attribute that holds the user's email address.

This is required for MicrosoftOffice 365 integrations and is also used by the FortiDLP API integration endpoints.

Default = email.

You can use as many schemes as you need by specifying a scheme and an associated attribute in your configuration file. For example, where users have multiple email addresses, you may want to use the mail scheme twice, with two different LDAP attributes. For more information on configuring schemes, see Creating the configuration file.

Label fields

Label fields define how LDAP attributes map to directory labels, which FortiDLP uses to associate users with policy groups and Agent configuration groups.

For example, a directory label mapping could be used to assign a label to users that identifies their department within your organization. This would then ease configuration, allowing you to select specific departments when enabling policies and Agent functionality.

For security purposes, directory label mappings can be replaced with pseudonyms in the FortiDLP Console for operators with the Pseudonymized perspective. For more information about this feature, refer to Operator roles in the FortiDLP Administration Guide.

FortiDLP will create one directory label for each value that is found by a configured mapping. Mappings based on the LDAP attributes of department, city, country, and security groups within memberOf are provided out of the box to new user syncs.

Field Description

key

The attribute name that holds the user data.

Defaults = department, city, country, memberOf.

labelName

The name to display before the attribute value in a label. If undefined, FortiDLP uses the key value.

match

The regular expression to filter which LDAP attributes generate labels. Only values that match the expression will be converted to labels.

For example, when creating a mapping for the memberOf attribute, the expression CN=(.*),OU=Security Groups would match CN=Admins,OU=Security Groups, but not CN=Sales,OU=Departments.

transform

An optional value to format the labels. This can be used to include groups captured by the regular expression defined for match.

For example, when creating a mapping for the memberOf attribute that has a match of CN=(.*),OU=Security Groups, entering $1 would generate a label for each value of CN within OU=Security Groups.

anonymise

The method for displaying labels, specified as one of the following:

true: Replaces directory labels with pseudonyms.
false: Displays directory labels as standard.

Default = false.

flagged

The method for marking labels, specified as one of the following:

true: Flags directory labels as of interest. Users who are assigned these labels will be highlighted in the Flagged entities tab of the FortiDLP Console.
false: Displays directory labels as standard.

Default = false.