config user ldap
Configure LDAP server entries.
config user ldap
Description: Configure LDAP server entries.
edit <name>
set account-key-filter {string}
set account-key-processing [same|strip]
set antiphish [enable|disable]
set ca-cert {string}
set cnid {string}
set dn {string}
set group-filter {string}
set group-member-check [user-attr|group-object|...]
set group-object-filter {string}
set group-search-base {string}
set interface {string}
set interface-select-method [auto|sdwan|...]
set member-attr {string}
set obtain-user-info [enable|disable]
set password {password}
set password-attr {string}
set password-expiry-warning [enable|disable]
set password-renewal [enable|disable]
set port {integer}
set search-type {option1}, {option2}, ...
set secondary-server {string}
set secure [disable|starttls|...]
set server {string}
set server-identity-check [enable|disable]
set source-ip {string}
set source-port {integer}
set ssl-min-proto-version [default|SSLv3|...]
set tertiary-server {string}
set two-factor [disable|fortitoken-cloud]
set two-factor-authentication [fortitoken|email|...]
set two-factor-notification [email|sms]
set type [simple|anonymous|...]
set user-info-exchange-server {string}
set username {string}
next
end
config user ldap
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
account-key-filter |
Account key filter, using the UPN as the search filter. |
string |
Maximum length: 2047 |
(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) |
||||||||||||
|
account-key-processing |
Account key processing operation, either keep or strip domain string of UPN in the token. |
option |
- |
same |
||||||||||||
|
|
|
|||||||||||||||
|
antiphish |
Enable/disable AntiPhishing credential backend. |
option |
- |
disable |
||||||||||||
|
|
|
|||||||||||||||
|
ca-cert |
CA certificate name. |
string |
Maximum length: 79 |
|
||||||||||||
|
cnid |
Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". |
string |
Maximum length: 20 |
cn |
||||||||||||
|
dn |
Distinguished name used to look up entries on the LDAP server. |
string |
Maximum length: 511 |
|
||||||||||||
|
group-filter |
Filter used for group matching. |
string |
Maximum length: 2047 |
|
||||||||||||
|
group-member-check |
Group member checking methods. |
option |
- |
user-attr |
||||||||||||
|
|
|
|||||||||||||||
|
group-object-filter |
Filter used for group searching. |
string |
Maximum length: 2047 |
(&(objectcategory=group)(member=*)) |
||||||||||||
|
group-search-base |
Search base used for group searching. |
string |
Maximum length: 511 |
|
||||||||||||
|
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||||||
|
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||||||
|
|
|
|||||||||||||||
|
member-attr |
Name of attribute from which to get group membership. |
string |
Maximum length: 63 |
memberOf |
||||||||||||
|
name |
LDAP server entry name. |
string |
Maximum length: 35 |
|
||||||||||||
|
obtain-user-info |
Enable/disable obtaining of user information. |
option |
- |
enable |
||||||||||||
|
|
|
|||||||||||||||
|
password |
Password for initial binding. |
password |
Not Specified |
|
||||||||||||
|
password-attr |
Name of attribute to get password hash. |
string |
Maximum length: 35 |
userPassword |
||||||||||||
|
password-expiry-warning |
Enable/disable password expiry warnings. |
option |
- |
disable |
||||||||||||
|
|
|
|||||||||||||||
|
password-renewal |
Enable/disable online password renewal. |
option |
- |
disable |
||||||||||||
|
|
|
|||||||||||||||
|
port |
Port to be used for communication with the LDAP server. |
integer |
Minimum value: 1 Maximum value: 65535 |
389 |
||||||||||||
|
search-type |
Search type. |
option |
- |
|
||||||||||||
|
|
|
|||||||||||||||
|
secondary-server |
Secondary LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||
|
secure |
Port to be used for authentication. |
option |
- |
disable |
||||||||||||
|
|
|
|||||||||||||||
|
server |
LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||
|
server-identity-check |
Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate). |
option |
- |
enable |
||||||||||||
|
|
|
|||||||||||||||
|
source-ip |
FortiGate IP address to be used for communication with the LDAP server. |
string |
Maximum length: 63 |
|
||||||||||||
|
source-port |
Source port to be used for communication with the LDAP server. |
integer |
Minimum value: 0 Maximum value: 65535 |
0 |
||||||||||||
|
ssl-min-proto-version |
Minimum supported protocol version for SSL/TLS connections. |
option |
- |
default |
||||||||||||
|
|
|
|||||||||||||||
|
tertiary-server |
Tertiary LDAP server CN domain name or IP. |
string |
Maximum length: 63 |
|
||||||||||||
|
two-factor |
Enable/disable two-factor authentication. |
option |
- |
disable |
||||||||||||
|
|
|
|||||||||||||||
|
two-factor-authentication |
Authentication method by FortiToken Cloud. |
option |
- |
|
||||||||||||
|
|
|
|||||||||||||||
|
two-factor-notification |
Notification method for user activation by FortiToken Cloud. |
option |
- |
|
||||||||||||
|
|
|
|||||||||||||||
|
type |
Authentication type for LDAP searches. |
option |
- |
simple |
||||||||||||
|
|
|
|||||||||||||||
|
user-info-exchange-server |
MS Exchange server from which to fetch user information. |
string |
Maximum length: 35 |
|
||||||||||||
|
username |
Username (full DN) for initial binding. |
string |
Maximum length: 511 |
|
||||||||||||