Fortinet black logo

CLI Reference

user ldap

user ldap

Use this command to add or edit the definition of an LDAP server for user authentication. The maximum number of remote LDAP servers that can be configured for authentication is 10. LDAP user authentication is supported for PPTP, L2TP, IPsec VPN, and firewall authentication. With PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is supported, while CHAP (Challenge Handshake Authentication Protocol) is not.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.3.

Command Description

set server-identity-check {enable | disable}

Enable or disable verification of LDAP server identity against the LDAP server certificate in LDAPS and STARTTLS security modes.

The default value is disable, which means that verification is disabled.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set ssl-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum SSL version that can be used for SSL/TLS-protected StartTLS or LADPs sessions.

The default value is default which means to follow the global minimum set by the ssl-min-proto-version option of the config system global command.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set account-key-filter <upn>

Option has been introduced to replace account-key-name to make LDAP query more flexible with different LDAP server versions.

set account-key-name <upn>

Option has been removed.

config user ldap
    edit {name}
    # Configure LDAP server entries.
        set name {string}   LDAP server entry name. size[35]
        set server {string}   LDAP server CN domain name or IP. size[63]
        set secondary-server {string}   Secondary LDAP server CN domain name or IP. size[63]
        set tertiary-server {string}   Tertiary LDAP server CN domain name or IP. size[63]
        set server-identity-check {enable | disable}   Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).
        set source-ip {ipv4 address}   Source IP for communications to LDAP server.
        set cnid {string}   Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". size[20]
        set dn {string}   Distinguished name used to look up entries on the LDAP server. size[511]
        set type {simple | anonymous | regular}   Authentication type for LDAP searches.
                simple     Simple password authentication without search.
                anonymous  Bind using anonymous user search.
                regular    Bind using username/password and then search.
        set username {string}   Username (full DN) for initial binding. size[511]
        set password {password_string}   Password for initial binding. size[128]
        set group-member-check {user-attr | group-object | posix-group-object}   Group member checking methods.
                user-attr           User attribute checking.
                group-object        Group object checking.
                posix-group-object  POSIX group object checking.
        set group-search-base {string}   Search base used for group searching. size[511]
        set group-object-filter {string}   Filter used for group searching. size[2047]
        set group-filter {string}   Filter used for group matching. size[2047]
        set secure {disable | starttls | ldaps}   Port to be used for authentication.
                disable   No SSL.
                starttls  Use StartTLS.
                ldaps     Use LDAPS.
        set ssl-min-proto-version {option}   Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
                default  Follow system global setting.
                SSLv3    SSLv3.
                TLSv1    TLSv1.
                TLSv1-1  TLSv1.1.
                TLSv1-2  TLSv1.2.
        set ca-cert {string}   CA certificate name. size[63] - datasource(s): vpn.certificate.ca.name
        set port {integer}   Port to be used for communication with the LDAP server (default = 389). range[1-65535]
        set password-expiry-warning {enable | disable}   Enable/disable password expiry warnings.
        set password-renewal {enable | disable}   Enable/disable online password renewal.
        set member-attr {string}   Name of attribute from which to get group membership. size[63]
        set account-key-processing {same | strip}   Account key processing operation, either keep or strip domain string of UPN in the token.
                same   Same as UPN.
                strip  Strip domain string from UPN.
        set account-key-filter {string}   Account key filter, using the UPN as the search filter. size[2047]
    next
end

Additional information

The following section is for those options that require additional explanation.

account-key-name <name>

Account key name, using the UPN as the search filter.

account-key-processing {same | strip}

Account key processing operation, an option to keep or strip domain string of User Principal Name (UPN) in the token.

  • same: Same as UPN. This is set by default.
  • strip: Strip domain string from UPN.

UPN is a logon method of authentication where you enter the credentials as username@domainname.com instead of the Windows authentication method, domainname\username.

cnid <id>

Common name identifier for the LDAP server (maximum of 20 characters). The default is set to cn, which is the common name identifier for most LDAP servers. However some servers use other common name identifiers such as uid.

dn <dn>

Note: You must provide a dn value if type is set to simple. Distinguished name used to look up entries on the LDAP server (maximum of 512 characters). The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. The FortiGate unit passes this distinguished name unchanged to the server.

group-filter {string}

Add a filter string to support LDAP authentication for users that are members of a nested group in the LDAP server. Looking for nested groups is disabled by default. To enable, add a search string to this option.

group-member-check {user-attr | group-object | posix-group-object}

Group member checking methods.

  • user-attr: Check user attributes (by default).
  • group-object: Check group objects.
  • posix-group-object: Checks Portable Operating System Interface (POSIX) group objects.

member-attr <attribute-name>

Name of attribute from which to get group membership. The default is set to memberOf. Examples are shown below:

  • memberOf for Windows AD and OpenLDAP
  • groupMembership for eDirectory

password-expiry-warning {enable | disable}

Enable or disable (by default) password expiry warnings.

password-renewal {enable | disable}

Enable or disable (by default) online password renewal.

port <port>

Port number to be used for communication with the LDAP server. Set the value between 1-65535. The default is set to 389.

server <name/ip>

LDAP server CN domain name or IP address. The host name must comply with RFC1035.

secondary-server [name/ip]

Optionally, enter a second LDAP server name or IP.

secure {disable | starttls | ldaps}

Port to be used in authentication.

  • disable: Port 389 (by default)
  • starttls: Port 389
  • ldaps: Port 636

server-identity-check {enable | disable}

Enable or disable (by default) verification of LDAP server identity against the LDAP server certificate in LDAPS and STARTTLS security modes.

Verification can be enabled only if a CA certificate is specified by set ca-cert. If a CA certificate is not specified, verification cannot be enabled.


ssl-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum SSL version that can be used for SSL/TLS-protected StartTLS or LADPs sessions.

The default value is default which means to follow the global minimum set by the ssl-min-proto-version option of the config system global command.

source-ip [class-ip]

Optionally, enter a source IP address to be used for LDAP requests.

tertiary-server [name/ip]

Optionally, enter a third LDAP server name or IP.

type {simple | anonymous | regular}

Note: You must provide a dn value if type is set to simple. Authentication type for LDAP searches.

  • simple: Simple password authentication without search. Use if the user records are all under one distinguished name that you know. Otherwise, using either anonymous or regular will search the entire LDAP database for the required user name.
  • anonymous: Bind using anonymous user search.
  • regular: Bind using username/password and then search. Use if your LDAP server requires authentication to perform searches, providing values for username and password.

user ldap

Use this command to add or edit the definition of an LDAP server for user authentication. The maximum number of remote LDAP servers that can be configured for authentication is 10. LDAP user authentication is supported for PPTP, L2TP, IPsec VPN, and firewall authentication. With PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is supported, while CHAP (Challenge Handshake Authentication Protocol) is not.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.3.

Command Description

set server-identity-check {enable | disable}

Enable or disable verification of LDAP server identity against the LDAP server certificate in LDAPS and STARTTLS security modes.

The default value is disable, which means that verification is disabled.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set ssl-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum SSL version that can be used for SSL/TLS-protected StartTLS or LADPs sessions.

The default value is default which means to follow the global minimum set by the ssl-min-proto-version option of the config system global command.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set account-key-filter <upn>

Option has been introduced to replace account-key-name to make LDAP query more flexible with different LDAP server versions.

set account-key-name <upn>

Option has been removed.

config user ldap
    edit {name}
    # Configure LDAP server entries.
        set name {string}   LDAP server entry name. size[35]
        set server {string}   LDAP server CN domain name or IP. size[63]
        set secondary-server {string}   Secondary LDAP server CN domain name or IP. size[63]
        set tertiary-server {string}   Tertiary LDAP server CN domain name or IP. size[63]
        set server-identity-check {enable | disable}   Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).
        set source-ip {ipv4 address}   Source IP for communications to LDAP server.
        set cnid {string}   Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". size[20]
        set dn {string}   Distinguished name used to look up entries on the LDAP server. size[511]
        set type {simple | anonymous | regular}   Authentication type for LDAP searches.
                simple     Simple password authentication without search.
                anonymous  Bind using anonymous user search.
                regular    Bind using username/password and then search.
        set username {string}   Username (full DN) for initial binding. size[511]
        set password {password_string}   Password for initial binding. size[128]
        set group-member-check {user-attr | group-object | posix-group-object}   Group member checking methods.
                user-attr           User attribute checking.
                group-object        Group object checking.
                posix-group-object  POSIX group object checking.
        set group-search-base {string}   Search base used for group searching. size[511]
        set group-object-filter {string}   Filter used for group searching. size[2047]
        set group-filter {string}   Filter used for group matching. size[2047]
        set secure {disable | starttls | ldaps}   Port to be used for authentication.
                disable   No SSL.
                starttls  Use StartTLS.
                ldaps     Use LDAPS.
        set ssl-min-proto-version {option}   Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
                default  Follow system global setting.
                SSLv3    SSLv3.
                TLSv1    TLSv1.
                TLSv1-1  TLSv1.1.
                TLSv1-2  TLSv1.2.
        set ca-cert {string}   CA certificate name. size[63] - datasource(s): vpn.certificate.ca.name
        set port {integer}   Port to be used for communication with the LDAP server (default = 389). range[1-65535]
        set password-expiry-warning {enable | disable}   Enable/disable password expiry warnings.
        set password-renewal {enable | disable}   Enable/disable online password renewal.
        set member-attr {string}   Name of attribute from which to get group membership. size[63]
        set account-key-processing {same | strip}   Account key processing operation, either keep or strip domain string of UPN in the token.
                same   Same as UPN.
                strip  Strip domain string from UPN.
        set account-key-filter {string}   Account key filter, using the UPN as the search filter. size[2047]
    next
end

Additional information

The following section is for those options that require additional explanation.

account-key-name <name>

Account key name, using the UPN as the search filter.

account-key-processing {same | strip}

Account key processing operation, an option to keep or strip domain string of User Principal Name (UPN) in the token.

  • same: Same as UPN. This is set by default.
  • strip: Strip domain string from UPN.

UPN is a logon method of authentication where you enter the credentials as username@domainname.com instead of the Windows authentication method, domainname\username.

cnid <id>

Common name identifier for the LDAP server (maximum of 20 characters). The default is set to cn, which is the common name identifier for most LDAP servers. However some servers use other common name identifiers such as uid.

dn <dn>

Note: You must provide a dn value if type is set to simple. Distinguished name used to look up entries on the LDAP server (maximum of 512 characters). The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. The FortiGate unit passes this distinguished name unchanged to the server.

group-filter {string}

Add a filter string to support LDAP authentication for users that are members of a nested group in the LDAP server. Looking for nested groups is disabled by default. To enable, add a search string to this option.

group-member-check {user-attr | group-object | posix-group-object}

Group member checking methods.

  • user-attr: Check user attributes (by default).
  • group-object: Check group objects.
  • posix-group-object: Checks Portable Operating System Interface (POSIX) group objects.

member-attr <attribute-name>

Name of attribute from which to get group membership. The default is set to memberOf. Examples are shown below:

  • memberOf for Windows AD and OpenLDAP
  • groupMembership for eDirectory

password-expiry-warning {enable | disable}

Enable or disable (by default) password expiry warnings.

password-renewal {enable | disable}

Enable or disable (by default) online password renewal.

port <port>

Port number to be used for communication with the LDAP server. Set the value between 1-65535. The default is set to 389.

server <name/ip>

LDAP server CN domain name or IP address. The host name must comply with RFC1035.

secondary-server [name/ip]

Optionally, enter a second LDAP server name or IP.

secure {disable | starttls | ldaps}

Port to be used in authentication.

  • disable: Port 389 (by default)
  • starttls: Port 389
  • ldaps: Port 636

server-identity-check {enable | disable}

Enable or disable (by default) verification of LDAP server identity against the LDAP server certificate in LDAPS and STARTTLS security modes.

Verification can be enabled only if a CA certificate is specified by set ca-cert. If a CA certificate is not specified, verification cannot be enabled.


ssl-min-proto-version {default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the minimum SSL version that can be used for SSL/TLS-protected StartTLS or LADPs sessions.

The default value is default which means to follow the global minimum set by the ssl-min-proto-version option of the config system global command.

source-ip [class-ip]

Optionally, enter a source IP address to be used for LDAP requests.

tertiary-server [name/ip]

Optionally, enter a third LDAP server name or IP.

type {simple | anonymous | regular}

Note: You must provide a dn value if type is set to simple. Authentication type for LDAP searches.

  • simple: Simple password authentication without search. Use if the user records are all under one distinguished name that you know. Otherwise, using either anonymous or regular will search the entire LDAP database for the required user name.
  • anonymous: Bind using anonymous user search.
  • regular: Bind using username/password and then search. Use if your LDAP server requires authentication to perform searches, providing values for username and password.