Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config user ldap

Configure LDAP server entries.

config user ldap

Description: Configure LDAP server entries.

edit <name>

set server {string}

set secondary-server {string}

set tertiary-server {string}

set server-identity-check [enable|disable]

set source-ip {ipv4-address}

set cnid {string}

set dn {string}

set type [simple|anonymous|...]

set two-factor [disable|fortitoken-cloud]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set username {string}

set password {password}

set group-member-check [user-attr|group-object|...]

set group-search-base {string}

set group-object-filter {string}

set group-filter {string}

set secure [disable|starttls|...]

set ssl-min-proto-version [default|SSLv3|...]

set ca-cert {string}

set port {integer}

set password-expiry-warning [enable|disable]

set password-renewal [enable|disable]

set member-attr {string}

set account-key-processing [same|strip]

set account-key-filter {string}

set search-type {option1}, {option2}, ...

set obtain-user-info [enable|disable]

set user-info-exchange-server {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

next

end

config user ldap

Parameter

Description

Type

Size

Default

server

LDAP server CN domain name or IP.

string

Maximum length: 63

secondary-server

Secondary LDAP server CN domain name or IP.

string

Maximum length: 63

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Maximum length: 63

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

 

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

Source IP for communications to LDAP server.

ipv4-address

Not Specified

0.0.0.0

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Maximum length: 20

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Maximum length: 511

type

Authentication type for LDAP searches.

option

-

simple

 

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

two-factor

Enable/disable two-factor authentication.

option

-

disable

 

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

 

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

 

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

username

Username (full DN) for initial binding.

string

Maximum length: 511

password

Password for initial binding.

password

Not Specified

group-member-check

Group member checking methods.

option

-

user-attr

 

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-search-base

Search base used for group searching.

string

Maximum length: 511

group-object-filter

Filter used for group searching.

string

Maximum length: 2047

(&(objectcategory=group)(member=*))

group-filter

Filter used for group matching.

string

Maximum length: 2047

secure

Port to be used for authentication.

option

-

disable

 

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).

option

-

default

 

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

ca-cert

CA certificate name.

string

Maximum length: 79

port

Port to be used for communication with the LDAP server (default = 389).

integer

Minimum value: 1 Maximum value: 65535

389

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

 

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

 

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

member-attr

Name of attribute from which to get group membership.

string

Maximum length: 63

memberOf

account-key-processing

Account key processing operation, either keep or strip domain string of UPN in the token.

option

-

same

 

Option

Description

same

Same as UPN.

strip

Strip domain string from UPN.

account-key-filter

Account key filter, using the UPN as the search filter.

string

Maximum length: 2047

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

search-type

Search type.

option

-

 

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

 

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

config user ldap

Configure LDAP server entries.

config user ldap

Description: Configure LDAP server entries.

edit <name>

set server {string}

set secondary-server {string}

set tertiary-server {string}

set server-identity-check [enable|disable]

set source-ip {ipv4-address}

set cnid {string}

set dn {string}

set type [simple|anonymous|...]

set two-factor [disable|fortitoken-cloud]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set username {string}

set password {password}

set group-member-check [user-attr|group-object|...]

set group-search-base {string}

set group-object-filter {string}

set group-filter {string}

set secure [disable|starttls|...]

set ssl-min-proto-version [default|SSLv3|...]

set ca-cert {string}

set port {integer}

set password-expiry-warning [enable|disable]

set password-renewal [enable|disable]

set member-attr {string}

set account-key-processing [same|strip]

set account-key-filter {string}

set search-type {option1}, {option2}, ...

set obtain-user-info [enable|disable]

set user-info-exchange-server {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

next

end

config user ldap

Parameter

Description

Type

Size

Default

server

LDAP server CN domain name or IP.

string

Maximum length: 63

secondary-server

Secondary LDAP server CN domain name or IP.

string

Maximum length: 63

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Maximum length: 63

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

 

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

Source IP for communications to LDAP server.

ipv4-address

Not Specified

0.0.0.0

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Maximum length: 20

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Maximum length: 511

type

Authentication type for LDAP searches.

option

-

simple

 

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

two-factor

Enable/disable two-factor authentication.

option

-

disable

 

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

 

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

 

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

username

Username (full DN) for initial binding.

string

Maximum length: 511

password

Password for initial binding.

password

Not Specified

group-member-check

Group member checking methods.

option

-

user-attr

 

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-search-base

Search base used for group searching.

string

Maximum length: 511

group-object-filter

Filter used for group searching.

string

Maximum length: 2047

(&(objectcategory=group)(member=*))

group-filter

Filter used for group matching.

string

Maximum length: 2047

secure

Port to be used for authentication.

option

-

disable

 

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).

option

-

default

 

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

ca-cert

CA certificate name.

string

Maximum length: 79

port

Port to be used for communication with the LDAP server (default = 389).

integer

Minimum value: 1 Maximum value: 65535

389

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

 

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

 

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

member-attr

Name of attribute from which to get group membership.

string

Maximum length: 63

memberOf

account-key-processing

Account key processing operation, either keep or strip domain string of UPN in the token.

option

-

same

 

Option

Description

same

Same as UPN.

strip

Strip domain string from UPN.

account-key-filter

Account key filter, using the UPN as the search filter.

string

Maximum length: 2047

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

search-type

Search type.

option

-

 

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

 

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Maximum length: 35

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Maximum length: 15