Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    user ldap

    Configure LDAP server entries.

      config user ldap
      Description: Configure LDAP server entries.
      edit <name>
          set server {string}
          set secondary-server {string}
          set tertiary-server {string}
          set server-identity-check [enable|disable]
          set source-ip {ipv4-address}
          set cnid {string}
          set dn {string}
          set type [simple|anonymous|...]
          set two-factor [disable|fortitoken-cloud]
          set two-factor-authentication [fortitoken|email|...]
          set two-factor-notification [email|sms]
          set username {string}
          set password {password}
          set group-member-check [user-attr|group-object|...]
          set group-search-base {string}
          set group-object-filter {string}
          set group-filter {string}
          set secure [disable|starttls|...]
          set ssl-min-proto-version [default|SSLv3|...]
          set ca-cert {string}
          set port {integer}
          set password-expiry-warning [enable|disable]
          set password-renewal [enable|disable]
          set member-attr {string}
          set account-key-processing [same|strip]
          set account-key-filter {string}
          set search-type {option1}, {option2}, ...
          set obtain-user-info [enable|disable]
          set user-info-exchange-server {string}
          set interface-select-method [auto|sdwan|...]
          set interface {string}
      next
  end

    config user ldap

    Parameter Name Description Type Size
    server LDAP server CN domain name or IP. string Maximum length: 63
    secondary-server Secondary LDAP server CN domain name or IP. string Maximum length: 63
    tertiary-server Tertiary LDAP server CN domain name or IP. string Maximum length: 63
    server-identity-check Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).
    enable: Enable server identity check.
    disable: Disable server identity check.
    		 option -
    source-ip Source IP for communications to LDAP server. ipv4-address Not Specified
    cnid Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". string Maximum length: 20
    dn Distinguished name used to look up entries on the LDAP server. string Maximum length: 511
    type Authentication type for LDAP searches.
    simple: Simple password authentication without search.
    anonymous: Bind using anonymous user search.
    regular: Bind using username/password and then search.
    		 option -
    two-factor Enable/disable two-factor authentication.
    disable: disable two-factor authentication.
    fortitoken-cloud: FortiToken Cloud Service.
    		 option -
    two-factor-authentication Authentication method by FortiToken Cloud.
    fortitoken: FortiToken authentication.
    email: Email one time password.
    sms: SMS one time password.
    		 option -
    two-factor-notification Notification method for user activation by FortiToken Cloud.
    email: Email notification for activation code.
    sms: SMS notification for activation code.
    		 option -
    username Username (full DN) for initial binding. string Maximum length: 511
    password Password for initial binding. password Not Specified
    group-member-check Group member checking methods.
    user-attr: User attribute checking.
    group-object: Group object checking.
    posix-group-object: POSIX group object checking.
    		 option -
    group-search-base Search base used for group searching. string Maximum length: 511
    group-object-filter Filter used for group searching. string Maximum length: 2047
    group-filter Filter used for group matching. string Maximum length: 2047
    secure Port to be used for authentication.
    disable: No SSL.
    starttls: Use StartTLS.
    ldaps: Use LDAPS.
    		 option -
    ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
    default: Follow system global setting.
    SSLv3: SSLv3.
    TLSv1: TLSv1.
    TLSv1-1: TLSv1.1.
    TLSv1-2: TLSv1.2.
    		 option -
    ca-cert CA certificate name. string Maximum length: 79
    port Port to be used for communication with the LDAP server (default = 389). integer Minimum value: 1 Maximum value: 65535
    password-expiry-warning Enable/disable password expiry warnings.
    enable: Enable password expiry warnings.
    disable: Disable password expiry warnings.
    		 option -
    password-renewal Enable/disable online password renewal.
    enable: Enable online password renewal.
    disable: Disable online password renewal.
    		 option -
    member-attr Name of attribute from which to get group membership. string Maximum length: 63
    account-key-processing Account key processing operation, either keep or strip domain string of UPN in the token.
    same: Same as UPN.
    strip: Strip domain string from UPN.
    		 option -
    account-key-filter Account key filter, using the UPN as the search filter. string Maximum length: 2047
    search-type Search type.
    recursive: Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.
    		 option -
    obtain-user-info Enable/disable obtaining of user information.
    enable: Enable obtaining of user information.
    disable: Disable obtaining of user information.
    		 option -
    user-info-exchange-server MS Exchange server from which to fetch user information. string Maximum length: 35
    interface-select-method Specify how to select outgoing interface to reach server.
    auto: Setting outgoing interface automatically.
    sdwan: Setting outgoing interface by SDWAN or policy routing rules.
    specify: Setting outgoing interface manually.
    		 option -
    interface Specify outgoing interface to reach server. string Maximum length: 15
    Previous
    Next

    user ldap

    Configure LDAP server entries.

      config user ldap
      Description: Configure LDAP server entries.
      edit <name>
          set server {string}
          set secondary-server {string}
          set tertiary-server {string}
          set server-identity-check [enable|disable]
          set source-ip {ipv4-address}
          set cnid {string}
          set dn {string}
          set type [simple|anonymous|...]
          set two-factor [disable|fortitoken-cloud]
          set two-factor-authentication [fortitoken|email|...]
          set two-factor-notification [email|sms]
          set username {string}
          set password {password}
          set group-member-check [user-attr|group-object|...]
          set group-search-base {string}
          set group-object-filter {string}
          set group-filter {string}
          set secure [disable|starttls|...]
          set ssl-min-proto-version [default|SSLv3|...]
          set ca-cert {string}
          set port {integer}
          set password-expiry-warning [enable|disable]
          set password-renewal [enable|disable]
          set member-attr {string}
          set account-key-processing [same|strip]
          set account-key-filter {string}
          set search-type {option1}, {option2}, ...
          set obtain-user-info [enable|disable]
          set user-info-exchange-server {string}
          set interface-select-method [auto|sdwan|...]
          set interface {string}
      next
  end

    config user ldap

    Parameter Name Description Type Size
    server LDAP server CN domain name or IP. string Maximum length: 63
    secondary-server Secondary LDAP server CN domain name or IP. string Maximum length: 63
    tertiary-server Tertiary LDAP server CN domain name or IP. string Maximum length: 63
    server-identity-check Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).
    enable: Enable server identity check.
    disable: Disable server identity check.
    		 option -
    source-ip Source IP for communications to LDAP server. ipv4-address Not Specified
    cnid Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". string Maximum length: 20
    dn Distinguished name used to look up entries on the LDAP server. string Maximum length: 511
    type Authentication type for LDAP searches.
    simple: Simple password authentication without search.
    anonymous: Bind using anonymous user search.
    regular: Bind using username/password and then search.
    		 option -
    two-factor Enable/disable two-factor authentication.
    disable: disable two-factor authentication.
    fortitoken-cloud: FortiToken Cloud Service.
    		 option -
    two-factor-authentication Authentication method by FortiToken Cloud.
    fortitoken: FortiToken authentication.
    email: Email one time password.
    sms: SMS one time password.
    		 option -
    two-factor-notification Notification method for user activation by FortiToken Cloud.
    email: Email notification for activation code.
    sms: SMS notification for activation code.
    		 option -
    username Username (full DN) for initial binding. string Maximum length: 511
    password Password for initial binding. password Not Specified
    group-member-check Group member checking methods.
    user-attr: User attribute checking.
    group-object: Group object checking.
    posix-group-object: POSIX group object checking.
    		 option -
    group-search-base Search base used for group searching. string Maximum length: 511
    group-object-filter Filter used for group searching. string Maximum length: 2047
    group-filter Filter used for group matching. string Maximum length: 2047
    secure Port to be used for authentication.
    disable: No SSL.
    starttls: Use StartTLS.
    ldaps: Use LDAPS.
    		 option -
    ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
    default: Follow system global setting.
    SSLv3: SSLv3.
    TLSv1: TLSv1.
    TLSv1-1: TLSv1.1.
    TLSv1-2: TLSv1.2.
    		 option -
    ca-cert CA certificate name. string Maximum length: 79
    port Port to be used for communication with the LDAP server (default = 389). integer Minimum value: 1 Maximum value: 65535
    password-expiry-warning Enable/disable password expiry warnings.
    enable: Enable password expiry warnings.
    disable: Disable password expiry warnings.
    		 option -
    password-renewal Enable/disable online password renewal.
    enable: Enable online password renewal.
    disable: Disable online password renewal.
    		 option -
    member-attr Name of attribute from which to get group membership. string Maximum length: 63
    account-key-processing Account key processing operation, either keep or strip domain string of UPN in the token.
    same: Same as UPN.
    strip: Strip domain string from UPN.
    		 option -
    account-key-filter Account key filter, using the UPN as the search filter. string Maximum length: 2047
    search-type Search type.
    recursive: Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.
    		 option -
    obtain-user-info Enable/disable obtaining of user information.
    enable: Enable obtaining of user information.
    disable: Disable obtaining of user information.
    		 option -
    user-info-exchange-server MS Exchange server from which to fetch user information. string Maximum length: 35
    interface-select-method Specify how to select outgoing interface to reach server.
    auto: Setting outgoing interface automatically.
    sdwan: Setting outgoing interface by SDWAN or policy routing rules.
    specify: Setting outgoing interface manually.
    		 option -
    interface Specify outgoing interface to reach server. string Maximum length: 15
    Previous
    Next