Fortinet black logo

CLI Reference

config user ldap

config user ldap

Configure LDAP server entries.

config user ldap
    Description: Configure LDAP server entries.
    edit <name>
        set account-key-filter {string}
        set account-key-processing [same|strip]
        set antiphish [enable|disable]
        set ca-cert {string}
        set cnid {string}
        set dn {string}
        set group-filter {string}
        set group-member-check [user-attr|group-object|...]
        set group-object-filter {string}
        set group-search-base {string}
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set member-attr {string}
        set name {string}
        set obtain-user-info [enable|disable]
        set password {password}
        set password-attr {string}
        set password-expiry-warning [enable|disable]
        set password-renewal [enable|disable]
        set port {integer}
        set search-type {option1}, {option2}, ...
        set secondary-server {string}
        set secure [disable|starttls|...]
        set server {string}
        set server-identity-check [enable|disable]
        set source-ip {string}
        set source-port {integer}
        set ssl-min-proto-version [default|SSLv3|...]
        set tertiary-server {string}
        set two-factor [disable|fortitoken-cloud]
        set two-factor-authentication [fortitoken|email|...]
        set two-factor-notification [email|sms]
        set type [simple|anonymous|...]
        set user-info-exchange-server {string}
        set username {string}
    next
end

config user ldap

Parameter

Description

Type

Size

Default

account-key-filter

Account key filter, using the UPN as the search filter.

string

Not Specified

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

account-key-processing

Account key processing operation, either keep or strip domain string of UPN in the token.

option

-

same

Option

Description

same

Same as UPN.

strip

Strip domain string from UPN.

antiphish

Enable/disable AntiPhishing credential backend.

option

-

disable

Option

Description

enable

Enable AntiPhishing credential backend.

disable

Disable AntiPhishing credential backend.

ca-cert

CA certificate name.

string

Not Specified

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Not Specified

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Not Specified

group-filter

Filter used for group matching.

string

Not Specified

group-member-check

Group member checking methods.

option

-

user-attr

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-object-filter

Filter used for group searching.

string

Not Specified

(&(objectcategory=group)(member=*))

group-search-base

Search base used for group searching.

string

Not Specified

interface

Specify outgoing interface to reach server.

string

Not Specified

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

member-attr

Name of attribute from which to get group membership.

string

Not Specified

memberOf

name

LDAP server entry name.

string

Not Specified

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

password

Password for initial binding.

password

Not Specified

password-attr

Name of attribute to get password hash.

string

Not Specified

userPassword

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

port

Port to be used for communication with the LDAP server.

integer

Minimum value: 1 Maximum value: 65535

389

search-type

Search type.

option

-

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

secondary-server

Secondary LDAP server CN domain name or IP.

string

Not Specified

secure

Port to be used for authentication.

option

-

disable

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

server

LDAP server CN domain name or IP.

string

Not Specified

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

FortiGate IP address to be used for communication with the LDAP server.

string

Not Specified

source-port

Source port to be used for communication with the LDAP server.

integer

Minimum value: 0 Maximum value: 65535

0

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Not Specified

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

type

Authentication type for LDAP searches.

option

-

simple

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Not Specified

username

Username (full DN) for initial binding.

string

Not Specified

config user ldap

Configure LDAP server entries.

config user ldap
    Description: Configure LDAP server entries.
    edit <name>
        set account-key-filter {string}
        set account-key-processing [same|strip]
        set antiphish [enable|disable]
        set ca-cert {string}
        set cnid {string}
        set dn {string}
        set group-filter {string}
        set group-member-check [user-attr|group-object|...]
        set group-object-filter {string}
        set group-search-base {string}
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set member-attr {string}
        set name {string}
        set obtain-user-info [enable|disable]
        set password {password}
        set password-attr {string}
        set password-expiry-warning [enable|disable]
        set password-renewal [enable|disable]
        set port {integer}
        set search-type {option1}, {option2}, ...
        set secondary-server {string}
        set secure [disable|starttls|...]
        set server {string}
        set server-identity-check [enable|disable]
        set source-ip {string}
        set source-port {integer}
        set ssl-min-proto-version [default|SSLv3|...]
        set tertiary-server {string}
        set two-factor [disable|fortitoken-cloud]
        set two-factor-authentication [fortitoken|email|...]
        set two-factor-notification [email|sms]
        set type [simple|anonymous|...]
        set user-info-exchange-server {string}
        set username {string}
    next
end

config user ldap

Parameter

Description

Type

Size

Default

account-key-filter

Account key filter, using the UPN as the search filter.

string

Not Specified

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

account-key-processing

Account key processing operation, either keep or strip domain string of UPN in the token.

option

-

same

Option

Description

same

Same as UPN.

strip

Strip domain string from UPN.

antiphish

Enable/disable AntiPhishing credential backend.

option

-

disable

Option

Description

enable

Enable AntiPhishing credential backend.

disable

Disable AntiPhishing credential backend.

ca-cert

CA certificate name.

string

Not Specified

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Not Specified

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Not Specified

group-filter

Filter used for group matching.

string

Not Specified

group-member-check

Group member checking methods.

option

-

user-attr

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-object-filter

Filter used for group searching.

string

Not Specified

(&(objectcategory=group)(member=*))

group-search-base

Search base used for group searching.

string

Not Specified

interface

Specify outgoing interface to reach server.

string

Not Specified

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

member-attr

Name of attribute from which to get group membership.

string

Not Specified

memberOf

name

LDAP server entry name.

string

Not Specified

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

password

Password for initial binding.

password

Not Specified

password-attr

Name of attribute to get password hash.

string

Not Specified

userPassword

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

port

Port to be used for communication with the LDAP server.

integer

Minimum value: 1 Maximum value: 65535

389

search-type

Search type.

option

-

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

secondary-server

Secondary LDAP server CN domain name or IP.

string

Not Specified

secure

Port to be used for authentication.

option

-

disable

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

server

LDAP server CN domain name or IP.

string

Not Specified

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

FortiGate IP address to be used for communication with the LDAP server.

string

Not Specified

source-port

Source port to be used for communication with the LDAP server.

integer

Minimum value: 0 Maximum value: 65535

0

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Not Specified

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

type

Authentication type for LDAP searches.

option

-

simple

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Not Specified

username

Username (full DN) for initial binding.

string

Not Specified