Fortinet black logo

CLI Reference

user ldap

Configure LDAP server entries.

  config user ldap
      Description: Configure LDAP server entries.
      edit <name>
          set server {string}
          set secondary-server {string}
          set tertiary-server {string}
          set server-identity-check [enable|disable]
          set source-ip {ipv4-address}
          set cnid {string}
          set dn {string}
          set type [simple|anonymous|...]
          set two-factor [disable|fortitoken-cloud]
          set username {string}
          set password {password}
          set group-member-check [user-attr|group-object|...]
          set group-search-base {string}
          set group-object-filter {string}
          set group-filter {string}
          set secure [disable|starttls|...]
          set ssl-min-proto-version [default|SSLv3|...]
          set ca-cert {string}
          set port {integer}
          set password-expiry-warning [enable|disable]
          set password-renewal [enable|disable]
          set member-attr {string}
          set account-key-processing [same|strip]
          set account-key-filter {string}
          set search-type {option1}, {option2}, ...
          set obtain-user-info [enable|disable]
          set user-info-exchange-server {string}
      next
  end

config user ldap

Parameter Name Description Type Size
server LDAP server CN domain name or IP. string Maximum length: 63
secondary-server Secondary LDAP server CN domain name or IP. string Maximum length: 63
tertiary-server Tertiary LDAP server CN domain name or IP. string Maximum length: 63
server-identity-check Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).
enable: Enable server identity check.
disable: Disable server identity check.
option -
source-ip Source IP for communications to LDAP server. ipv4-address Not Specified
cnid Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". string Maximum length: 20
dn Distinguished name used to look up entries on the LDAP server. string Maximum length: 511
type Authentication type for LDAP searches.
simple: Simple password authentication without search.
anonymous: Bind using anonymous user search.
regular: Bind using username/password and then search.
option -
two-factor Enable/disable two-factor authentication.
disable: disable
fortitoken-cloud: FortiToken Cloud Service.
option -
username Username (full DN) for initial binding. string Maximum length: 511
password Password for initial binding. password Not Specified
group-member-check Group member checking methods.
user-attr: User attribute checking.
group-object: Group object checking.
posix-group-object: POSIX group object checking.
option -
group-search-base Search base used for group searching. string Maximum length: 511
group-object-filter Filter used for group searching. string Maximum length: 2047
group-filter Filter used for group matching. string Maximum length: 2047
secure Port to be used for authentication.
disable: No SSL.
starttls: Use StartTLS.
ldaps: Use LDAPS.
option -
ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
default: Follow system global setting.
SSLv3: SSLv3.
TLSv1: TLSv1.
TLSv1-1: TLSv1.1.
TLSv1-2: TLSv1.2.
option -
ca-cert CA certificate name. string Maximum length: 79
port Port to be used for communication with the LDAP server (default = 389). integer Minimum value: 1 Maximum value: 65535
password-expiry-warning Enable/disable password expiry warnings.
enable: Enable password expiry warnings.
disable: Disable password expiry warnings.
option -
password-renewal Enable/disable online password renewal.
enable: Enable online password renewal.
disable: Disable online password renewal.
option -
member-attr Name of attribute from which to get group membership. string Maximum length: 63
account-key-processing Account key processing operation, either keep or strip domain string of UPN in the token.
same: Same as UPN.
strip: Strip domain string from UPN.
option -
account-key-filter Account key filter, using the UPN as the search filter. string Maximum length: 2047
search-type Search type.
recursive: Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.
option -
obtain-user-info Enable/disable obtaining of user information.
enable: Enable obtaining of user information.
disable: Disable obtaining of user information.
option -
user-info-exchange-server MS Exchange server from which to fetch user information. string Maximum length: 35

Configure LDAP server entries.

  config user ldap
      Description: Configure LDAP server entries.
      edit <name>
          set server {string}
          set secondary-server {string}
          set tertiary-server {string}
          set server-identity-check [enable|disable]
          set source-ip {ipv4-address}
          set cnid {string}
          set dn {string}
          set type [simple|anonymous|...]
          set two-factor [disable|fortitoken-cloud]
          set username {string}
          set password {password}
          set group-member-check [user-attr|group-object|...]
          set group-search-base {string}
          set group-object-filter {string}
          set group-filter {string}
          set secure [disable|starttls|...]
          set ssl-min-proto-version [default|SSLv3|...]
          set ca-cert {string}
          set port {integer}
          set password-expiry-warning [enable|disable]
          set password-renewal [enable|disable]
          set member-attr {string}
          set account-key-processing [same|strip]
          set account-key-filter {string}
          set search-type {option1}, {option2}, ...
          set obtain-user-info [enable|disable]
          set user-info-exchange-server {string}
      next
  end

config user ldap

Parameter Name Description Type Size
server LDAP server CN domain name or IP. string Maximum length: 63
secondary-server Secondary LDAP server CN domain name or IP. string Maximum length: 63
tertiary-server Tertiary LDAP server CN domain name or IP. string Maximum length: 63
server-identity-check Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).
enable: Enable server identity check.
disable: Disable server identity check.
option -
source-ip Source IP for communications to LDAP server. ipv4-address Not Specified
cnid Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". string Maximum length: 20
dn Distinguished name used to look up entries on the LDAP server. string Maximum length: 511
type Authentication type for LDAP searches.
simple: Simple password authentication without search.
anonymous: Bind using anonymous user search.
regular: Bind using username/password and then search.
option -
two-factor Enable/disable two-factor authentication.
disable: disable
fortitoken-cloud: FortiToken Cloud Service.
option -
username Username (full DN) for initial binding. string Maximum length: 511
password Password for initial binding. password Not Specified
group-member-check Group member checking methods.
user-attr: User attribute checking.
group-object: Group object checking.
posix-group-object: POSIX group object checking.
option -
group-search-base Search base used for group searching. string Maximum length: 511
group-object-filter Filter used for group searching. string Maximum length: 2047
group-filter Filter used for group matching. string Maximum length: 2047
secure Port to be used for authentication.
disable: No SSL.
starttls: Use StartTLS.
ldaps: Use LDAPS.
option -
ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
default: Follow system global setting.
SSLv3: SSLv3.
TLSv1: TLSv1.
TLSv1-1: TLSv1.1.
TLSv1-2: TLSv1.2.
option -
ca-cert CA certificate name. string Maximum length: 79
port Port to be used for communication with the LDAP server (default = 389). integer Minimum value: 1 Maximum value: 65535
password-expiry-warning Enable/disable password expiry warnings.
enable: Enable password expiry warnings.
disable: Disable password expiry warnings.
option -
password-renewal Enable/disable online password renewal.
enable: Enable online password renewal.
disable: Disable online password renewal.
option -
member-attr Name of attribute from which to get group membership. string Maximum length: 63
account-key-processing Account key processing operation, either keep or strip domain string of UPN in the token.
same: Same as UPN.
strip: Strip domain string from UPN.
option -
account-key-filter Account key filter, using the UPN as the search filter. string Maximum length: 2047
search-type Search type.
recursive: Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.
option -
obtain-user-info Enable/disable obtaining of user information.
enable: Enable obtaining of user information.
disable: Disable obtaining of user information.
option -
user-info-exchange-server MS Exchange server from which to fetch user information. string Maximum length: 35