config user ldap
Configure LDAP server entries.
config user ldap
Description: Configure LDAP server entries.
edit <name>
set server {string}
set secondary-server {string}
set tertiary-server {string}
set server-identity-check [enable|disable]
set source-ip {ipv4-address}
set cnid {string}
set dn {string}
set type [simple|anonymous|...]
set two-factor [disable|fortitoken-cloud]
set two-factor-authentication [fortitoken|email|...]
set two-factor-notification [email|sms]
set username {string}
set password {password}
set group-member-check [user-attr|group-object|...]
set group-search-base {string}
set group-object-filter {string}
set group-filter {string}
set secure [disable|starttls|...]
set ssl-min-proto-version [default|SSLv3|...]
set ca-cert {string}
set port {integer}
set password-expiry-warning [enable|disable]
set password-renewal [enable|disable]
set member-attr {string}
set account-key-processing [same|strip]
set account-key-filter {string}
set search-type {option1}, {option2}, ...
set obtain-user-info [enable|disable]
set user-info-exchange-server {string}
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end
config user ldap
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
server |
LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||
secondary-server |
Secondary LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||
tertiary-server |
Tertiary LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||
server-identity-check |
Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate). |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
source-ip |
Source IP for communications to LDAP server. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||
cnid |
Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". |
string |
Maximum length: 20 |
cn |
||||||||||||
dn |
Distinguished name used to look up entries on the LDAP server. |
string |
Maximum length: 511 |
|
||||||||||||
type |
Authentication type for LDAP searches. |
option |
- |
simple |
||||||||||||
|
|
|||||||||||||||
two-factor |
Enable/disable two-factor authentication. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
two-factor-authentication |
Authentication method by FortiToken Cloud. |
option |
- |
|
||||||||||||
|
|
|||||||||||||||
two-factor-notification |
Notification method for user activation by FortiToken Cloud. |
option |
- |
|
||||||||||||
|
|
|||||||||||||||
username |
Username (full DN) for initial binding. |
string |
Maximum length: 511 |
|
||||||||||||
password |
Password for initial binding. |
password |
Not Specified |
|
||||||||||||
group-member-check |
Group member checking methods. |
option |
- |
user-attr |
||||||||||||
|
|
|||||||||||||||
group-search-base |
Search base used for group searching. |
string |
Maximum length: 511 |
|
||||||||||||
group-object-filter |
Filter used for group searching. |
string |
Maximum length: 2047 |
(&(objectcategory=group)(member=*)) |
||||||||||||
group-filter |
Filter used for group matching. |
string |
Maximum length: 2047 |
|
||||||||||||
secure |
Port to be used for authentication. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
ssl-min-proto-version |
Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting). |
option |
- |
default |
||||||||||||
|
|
|||||||||||||||
ca-cert |
CA certificate name. |
string |
Maximum length: 79 |
|
||||||||||||
port |
Port to be used for communication with the LDAP server (default = 389). |
integer |
Minimum value: 1 Maximum value: 65535 |
389 |
||||||||||||
password-expiry-warning |
Enable/disable password expiry warnings. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
password-renewal |
Enable/disable online password renewal. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
member-attr |
Name of attribute from which to get group membership. |
string |
Maximum length: 63 |
memberOf |
||||||||||||
account-key-processing |
Account key processing operation, either keep or strip domain string of UPN in the token. |
option |
- |
same |
||||||||||||
|
|
|||||||||||||||
account-key-filter |
Account key filter, using the UPN as the search filter. |
string |
Maximum length: 2047 |
(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
||||||||||||
search-type |
Search type. |
option |
- |
|
||||||||||||
|
|
|||||||||||||||
obtain-user-info |
Enable/disable obtaining of user information. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
user-info-exchange-server |
MS Exchange server from which to fetch user information. |
string |
Maximum length: 35 |
|
||||||||||||
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||||||
|
|
|||||||||||||||
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|