Fortinet black logo

CLI Reference

config user ldap

config user ldap

Configure LDAP server entries.

config user ldap

Description: Configure LDAP server entries.

edit <name>

set server {string}

set secondary-server {string}

set tertiary-server {string}

set server-identity-check [enable|disable]

set source-ip {string}

set source-port {integer}

set cnid {string}

set dn {string}

set type [simple|anonymous|...]

set two-factor [disable|fortitoken-cloud]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set two-factor-filter {string}

set username {string}

set password {password}

set group-member-check [user-attr|group-object|...]

set group-search-base {string}

set group-object-filter {string}

set group-filter {string}

set secure [disable|starttls|...]

set ssl-min-proto-version [default|SSLv3|...]

set ca-cert {string}

set port {integer}

set password-expiry-warning [enable|disable]

set password-renewal [enable|disable]

set member-attr {string}

set account-key-processing [same|strip]

set account-key-filter {string}

set search-type {option1}, {option2}, ...

set client-cert-auth [enable|disable]

set client-cert {string}

set obtain-user-info [enable|disable]

set user-info-exchange-server {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

set antiphish [enable|disable]

set password-attr {string}

next

end

config user ldap

Parameter

Description

Type

Size

Default

server

LDAP server CN domain name or IP.

string

Not Specified

secondary-server

Secondary LDAP server CN domain name or IP.

string

Not Specified

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Not Specified

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

FortiGate IP address to be used for communication with the LDAP server.

string

Not Specified

source-port

Source port to be used for communication with the LDAP server.

integer

Minimum value: 0 Maximum value: 65535

0

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Not Specified

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Not Specified

type

Authentication type for LDAP searches.

option

-

simple

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

two-factor-filter

Filter used to synchronize users to FortiToken Cloud.

string

Not Specified

username

Username (full DN) for initial binding.

string

Not Specified

password

Password for initial binding.

password

Not Specified

group-member-check

Group member checking methods.

option

-

user-attr

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-search-base

Search base used for group searching.

string

Not Specified

group-object-filter

Filter used for group searching.

string

Not Specified

(&(objectcategory=group)(member=*))

group-filter

Filter used for group matching.

string

Not Specified

secure

Port to be used for authentication.

option

-

disable

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections .

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

ca-cert

CA certificate name.

string

Not Specified

port

Port to be used for communication with the LDAP server .

integer

Minimum value: 1 Maximum value: 65535

389

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

member-attr

Name of attribute from which to get group membership.

string

Not Specified

memberOf

account-key-processing

Account key processing operation, either keep or strip domain string of UPN in the token.

option

-

same

Option

Description

same

Same as UPN.

strip

Strip domain string from UPN.

account-key-filter

Account key filter, using the UPN as the search filter.

string

Not Specified

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

search-type

Search type.

option

-

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

client-cert-auth

Enable/disable using client certificate for TLS authentication.

option

-

disable

Option

Description

enable

Enable using client certificate for TLS authentication.

disable

Disable using client certificate for TLS authentication.

client-cert

Client certificate name.

string

Not Specified

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Not Specified

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Not Specified

antiphish

Enable/disable AntiPhishing credential backend.

option

-

disable

Option

Description

enable

Enable AntiPhishing credential backend.

disable

Disable AntiPhishing credential backend.

password-attr

Name of attribute to get password hash.

string

Not Specified

userPassword

config user ldap

Configure LDAP server entries.

config user ldap

Description: Configure LDAP server entries.

edit <name>

set server {string}

set secondary-server {string}

set tertiary-server {string}

set server-identity-check [enable|disable]

set source-ip {string}

set source-port {integer}

set cnid {string}

set dn {string}

set type [simple|anonymous|...]

set two-factor [disable|fortitoken-cloud]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set two-factor-filter {string}

set username {string}

set password {password}

set group-member-check [user-attr|group-object|...]

set group-search-base {string}

set group-object-filter {string}

set group-filter {string}

set secure [disable|starttls|...]

set ssl-min-proto-version [default|SSLv3|...]

set ca-cert {string}

set port {integer}

set password-expiry-warning [enable|disable]

set password-renewal [enable|disable]

set member-attr {string}

set account-key-processing [same|strip]

set account-key-filter {string}

set search-type {option1}, {option2}, ...

set client-cert-auth [enable|disable]

set client-cert {string}

set obtain-user-info [enable|disable]

set user-info-exchange-server {string}

set interface-select-method [auto|sdwan|...]

set interface {string}

set antiphish [enable|disable]

set password-attr {string}

next

end

config user ldap

Parameter

Description

Type

Size

Default

server

LDAP server CN domain name or IP.

string

Not Specified

secondary-server

Secondary LDAP server CN domain name or IP.

string

Not Specified

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Not Specified

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

FortiGate IP address to be used for communication with the LDAP server.

string

Not Specified

source-port

Source port to be used for communication with the LDAP server.

integer

Minimum value: 0 Maximum value: 65535

0

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Not Specified

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Not Specified

type

Authentication type for LDAP searches.

option

-

simple

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

two-factor-filter

Filter used to synchronize users to FortiToken Cloud.

string

Not Specified

username

Username (full DN) for initial binding.

string

Not Specified

password

Password for initial binding.

password

Not Specified

group-member-check

Group member checking methods.

option

-

user-attr

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-search-base

Search base used for group searching.

string

Not Specified

group-object-filter

Filter used for group searching.

string

Not Specified

(&(objectcategory=group)(member=*))

group-filter

Filter used for group matching.

string

Not Specified

secure

Port to be used for authentication.

option

-

disable

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections .

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

ca-cert

CA certificate name.

string

Not Specified

port

Port to be used for communication with the LDAP server .

integer

Minimum value: 1 Maximum value: 65535

389

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

member-attr

Name of attribute from which to get group membership.

string

Not Specified

memberOf

account-key-processing

Account key processing operation, either keep or strip domain string of UPN in the token.

option

-

same

Option

Description

same

Same as UPN.

strip

Strip domain string from UPN.

account-key-filter

Account key filter, using the UPN as the search filter.

string

Not Specified

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

search-type

Search type.

option

-

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

client-cert-auth

Enable/disable using client certificate for TLS authentication.

option

-

disable

Option

Description

enable

Enable using client certificate for TLS authentication.

disable

Disable using client certificate for TLS authentication.

client-cert

Client certificate name.

string

Not Specified

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Not Specified

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

interface

Specify outgoing interface to reach server.

string

Not Specified

antiphish

Enable/disable AntiPhishing credential backend.

option

-

disable

Option

Description

enable

Enable AntiPhishing credential backend.

disable

Disable AntiPhishing credential backend.

password-attr

Name of attribute to get password hash.

string

Not Specified

userPassword