profile ldap
Use this command to configure LDAP profiles which can query LDAP servers for authentication, email address mappings, and more.
Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended mail processing behaviors can result, including bypassing antivirus scans. For details on how to use an LDAP directory with FortiMail LDAP profiles, see the FortiMail Administration Guide. |
LDAP profiles each contain one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server.
Syntax
config profile ldap
edit <profile_name>
[set comment "<comment_str>"]
set access-override {enable | disable}
set access-override-attribute <attribute_str>
set address-map-state {enable | disable}
set alias-bind-dn <bind_dn_str>
set alias-bind-password <bindpw_str>
set alias-dereferencing {never | always | search | find}
set alias-expansion-level <limit_int>
set alias-group-expansion-state {enable | disable}
set alias-group-member-attribute <attribute_str>
set alias-group-query <query_str>
set alias-member-mail-attribute <attribute_str>
set alias-member-query <query_str>
set alias-schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}
set alias-scope {base one | sub}
set alias-state {enable | disable}
set asav-state {enable | disable}
set auth-bind-dn {cnid | none | searchuser | upn}
set authstate {enable | disable}
set bind-password <bind-password_str>
set cache-state {enable | disable}
set chain-status {enable | disable}
set client-cert-auth {enable | disable}
set client-cert <certificate_name>
set content <content-profile_name>
set dereferencing {never | always | search | find}
set display-name <display-name_str>
set domain-antispam-attr <attribute_str>
set domain-antivirus-attr <attribute_str>
set domain-content-attr <attribute_str>
set domain-override {enable | disable}
set domain-override-attribute <attribute_str>
set domain-parent-attr <attribute_str>
set domain-routing-mail-host-attr <attribute_str>
set domain-state {enable | disable}
set external-address <attribute_str>
set fallback-server {<server_fqdn> | <server_ipv4>}
set group-base-dn <base-dn_str>
set group-expansion-level {1..6}
set group-membership-attribute <attribute_str>
set group-name-attribute <attribute_str>
set group-owner {enable | disable}
set group-owner-address-attribute <attribute_str>
set group-owner-attribute <attribute_str>
set group-relative-name {enable | disable}
set group-virtual {enable | disable}
set groupstate {enable | disable}
set internal-address <attribute_str>
set port <port_int>
set rcpt-vrfy-bypass {enable | disable}
set referrals-chase {enable | disable}
set routing-mail-host <attribute_str>
set routing-mail-addr <attribute_str>
set routing-state {enable | disable}
set schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined}
set server {<server_fqdn> | <server_ipv4> | <server_ipv6>
set unauth-bind {enable | disable}
set user-display-name-attr <attribute_str>
set user-display-name-retrieval {enable | disable}
set webmail-password-change {enable | disable}
set webmail-password-schema {openldap | activedirectory}
end
Variable |
Description |
Default |
Enter the name of the LDAP profile. |
|
|
Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the LDAP server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used. Also specify the access profile attribute. |
disable |
|
Specify the access profile attribtue. |
|
|
Enable to query the LDAP server defined in the LDAP profile for user objects’ mappings between email addresses. |
disable |
|
Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for either alias or user objects. User or alias objects should be child nodes of this location. Whether you should specify the base DN of either user objects or alias objects varies by your LDAP schema style. Schema may resolve alias email addresses directly or indirectly (using references). Direct resolution: Alias objects directly contain one or more email address attributes, such as Indirect resolution: Alias objects do not directly contain an email address attribute that can resolve the alias; instead, in the style of LDAP group-like objects, the alias objects contain only references to user objects that are “members” of the alias “group.” User objects’ email address attribute values, such as |
|
|
Enter the bind DN, such as This command may be optional if your LDAP server does not require the FortiMail unit to authenticate when performing queries, and if you have enabled unauth-bind {enable | disable}. |
|
|
Enter the password of alias-bind-dn <bind_dn_str> |
|
|
Select the method to use, if any, when dereferencing attributes whose values are references:
|
never |
|
Enter the maximum number of alias nesting levels that aliases the FortiMail unit will expand. |
0 |
|
Enable if your LDAP schema resolves email aliases indirectly. For more information on direct vs. indirect resolution, see alias-bind-dn <bind_dn_str>. When this option is disabled, alias resolution occurs using one query. The FortiMail unit queries the LDAP directory using the When this option is enabled, alias resolution occurs using two queries: The FortiMail unit first performs a preliminary query using the The FortiMail unit performs a second query using the distinguished names from the preliminary query (instead of the The two-query approach is appropriate if, in your schema, alias objects are structured like group objects and contain references in the form of distinguished names of member user objects, rather than directly containing email addresses to which the alias resolves. In this case, the FortiMail unit must first “expand" the alias object into its constituent user objects before it can resolve the alias email address. |
disable |
|
Enter the name of the attribute for the group member, such as This attribute must be present in alias objects only if they do not contain an email address attribute specified in alias-member-mail-attribute <attribute_str>. |
|
|
Enter an LDAP query filter that selects a set of alias objects, represented as a group of member objects in the LDAP directory. The query filter string filters the result set, and should be based upon any attributes that are common to all alias objects but also exclude non-alias objects. For example, if alias objects in your directory have two distinguishing characteristics, their
where |
|
|
Enter the name of the attribute for the alias member’s mail address, such as This attribute must be present in either alias or user objects, as determined by your schema and whether it resolves aliases directly or indirectly. |
|
|
Enter an LDAP query filter that selects a set of either user or email alias objects, whichever object class contains the attribute you configured in alias-member-mail-attribute <attribute_str>, from the LDAP directory. The query filter string filters the result set, and should be based upon any attributes that are common to all user/alias objects but also exclude objects that are not a user/alias. For example, if user objects in your directory have two distinguishing characteristics, their
where |
|
|
alias-schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined} |
Enter either the name of the LDAP directory’s schema, or enter |
inetorgperson |
Enter which level of depth to query:
|
sub |
|
Enable to query user objects for email address aliases. |
disable |
|
Enter the name of the attribute, such as |
|
|
Enter the name of the attribute, such as |
|
|
Enable to query user objects for mappings between internal and external email addresses. |
disable |
|
Enter either none to not define a user authentication query, or one of the following to define a user authentication query:
This command applies only if
|
searchuser |
|
Enable to perform user authentication queries. |
disable |
|
Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail unit will search for user objects, such as User objects should be child nodes of this location. |
|
|
Enter the bind DN, such as This command may be optional if your LDAP server does not require the FortiMail unit to authenticate when performing queries, and if you have enabled unauth-bind {enable | disable}. |
|
|
Enter the password of bind-dn <bind-dn_str>. |
|
|
Enable to cache LDAP query results. Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiMail unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently. If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of |
disable |
|
Enter the amount of time, in minutes, that the FortiMail unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiMail unit to query the LDAP server, refreshing the cache. The default TTL value is 1,440 minutes (one day). The maximum value is 10,080 minutes (one week). Enter |
1440 |
|
Enter the LDAP profile that you want to add to the group of other LDAP profiles to create a chain query. |
|
|
Enable the chain query. |
disable |
|
Enable if the LDAP server requires that clients such as the FortiMail unit present a client certificate to authenticate themselves during secure connections. Also configure client-cert <certificate_name>. This setting is only available when secure {none | ssl} is |
disable |
|
Enter the name of a local certificate if the LDAP server requires that clients such as the FortiMail unit present a client certificate to identify themselves during secure connections. FortiMail unit will use as its client certificate. This can be used instead of, or in addition to, a bind DN and password. Also configure client-cert-auth {enable | disable}. This setting is only available when secure {none | ssl} is Note: The certificate that FortiMail uses for client authentication must:
Otherwise the secure connection will fail. Servers may have their own certificate validation requirements in addition to FortiMail requirements. For example, client certificates may require that |
|
|
Enter the name of the user objects’ common name attribute, such as |
|
|
Enter the name of the attribute, such as The name of this attribute may vary by the schema of your LDAP directory. If you do not specify this attribute (that is, leave this field blank), then the content profile in the matched recipient-based policy will be used. |
|
|
Enter a description or comment. |
|
|
Select the method to use, if any, when dereferencing attributes whose values are references.
|
never |
|
Enter the LDAP address mapping display name attribute. |
|
|
Enter the name of the antispam profile attribute, such as The name of this attribute may vary by the schema of your LDAP directory. |
|
|
Enter the name of the antivirus profile attribute, such as The name of this attribute may vary by the schema of your LDAP directory. |
|
|
Enter the content attribute name. |
|
|
Enable or disable override of the system admin domain. |
|
|
Enter the system admin domain override attribute. |
|
|
Enter the name of the parent domain attribute, such as The name of this attribute may vary by the schema of your LDAP directory. |
|
|
Enter an LDAP query filter that selects a set of domain objects, whichever object class contains the attribute you configured for this option, from the LDAP directory. For details on query syntax, refer to any standard LDAP query filter reference manual. For this option to work, your LDAP directory should contain a single generic user for each domain. Wildcard users (e.g. The user entry should be configured with attributes to represent the following:
|
|
|
Enter the name of the mail host attribute, such as The name of this attribute may vary by the schema of your LDAP directory. |
|
|
Enable or disable the domain lookup option. For more information about domain lookup, see domain-query <query_str>. |
disable |
|
Enter the name of the attribute whose value is an email address in the same or another protected domain. This email address will be rewritten into the value of internal-address <attribute_str> according to the match conditions and effects described in Match evaluation and rewrite behavior for email address mappings:. The name of this attribute may vary by the schema of your LDAP directory. |
extAddress |
|
If you have configured a backup LDAP server that listens on a nonstandard port number, enter the TCP port number. The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636. The FortiMail unit will use SSL-secured LDAP to connect to the server if |
389 |
|
Enter either the fully qualified domain name (FQDN) or IP address of the backup LDAP server. If there is no fallback server, enter an empty string ( '' ). |
|
|
Enter the base DN portion of the group’s full DN, such as This command applies only if |
|
|
Enter how many levels of nested groups will be expanded for lookup. Valid range is 1-6. |
1 |
|
Enter the name of the attribute, such as This attribute must be present in user objects. Whether the value must use common name, group number, or DN syntax varies by your LDAP server schema. For example, if your user objects use both |
|
|
Enter the name of the attribute, such as This command applies only if |
|
|
Enable to query the group object by its distinguished name (DN) to retrieve the DN of the group owner, which is a user that will receive that group’s spam reports. Using that user’s DN, the FortiMail unit will then perform a second query to retrieve that user’s email address, where the spam report will be sent.For more information on sending spam reports to the group owner, see domain-setting. |
disable |
|
Enter the name of the attribute, such as If |
|
|
Enter the name of the attribute, such as If |
|
|
Enable to specify the base distinguished name (DN) portion of the group’s full distinguished name (DN) in the LDAP profile. By specifying the group’s base DN and the name of its group name attribute in the LDAP profile, you will only need to supply the group name value when configuring each feature that uses this query. For example, you might find it more convenient in each recipient-based policy to type only the group name, Note: Enabling this option is appropriate only if your LDAP server’s schema specifies that the group membership attribute’s value must use DN syntax. It is not appropriate if this value uses another type of syntax, such as a number or common name. For example, if your user objects use both |
disable |
|
Enable to use objects within the base DN of base-dn <base-dn_str> as if they were members of a user group object. For example, your LDAP directory might not contain user group objects. In that sense, groups do not really exist in the LDAP directory. However, you could mimic a group’s presence by enabling this option to treat all users that are child objects of the base DN in the user object query as if they were members of such a group. |
disable |
|
Enable to perform LDAP group queries. |
disable |
|
Enter the name of the LDAP attribute whose value is an email address in the same or another protected domain. This email address will be rewritten into the value of external-address <attribute_str> according to the match conditions and effects described in Match evaluation and rewrite behavior for email address mappings:. The name of this attribute may vary by the schema of your LDAP directory. |
intAddress |
|
If you have configured a backup LDAP server that listens on a nonstandard port number, enter the TCP port number. The standard port number for LDAP is 389. The standard port number for SSL-secured LDAP is 636. |
389 |
|
Enter an LDAP query filter, enclosed in single quotes ( ' ), that selects a set of user objects from the LDAP directory. The query filter string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For example, if user objects in your directory have two distinguishing characteristics, their
where If the email address (
where
where For some schemas, such as Microsoft Active Directory-style schemas, this query will retrieve both the user’s primary email address and the user’s alias email addresses. If your schema style is different, you may want to also configure an alias query to resolve aliases. For details on query syntax, refer to any standard LDAP query filter reference manual. This command applies only if |
(& (objectClass=inetOrgPerson) (mail=$m)) |
|
If you have selected using LDAP server to verify recipient address and your LDAP server is down, enabling this option abandons recipient address verification and the FortiMail unit will continue relaying email. |
enable |
|
Enable chasing referrals. |
disable |
|
Enter the name of the LDAP attribute, such as |
mailHost |
|
Enter the name of the LDAP attribute whose value is the email address of a deliverable user on the email server, also known as the mail host. For example, a user may have many aliases and external email addresses that are not necessarily known to the email server. These addresses would all map to a real email account (mail routing address) on the email server (mail host) where the user’s email is actually stored. A user’s recipient email address located in the envelope or header portion of each email will be rewritten to this address. |
mailRoutingAddress |
|
Enable to perform LDAP queries for mail routing. |
disable |
|
schema {activedirectory | dominoperson | inetlocalmailrcpt | inetorgperson | userdefined} |
Enter either the name of the LDAP directory’s schema, or enter If you enter |
inetorgperson |
Select which level of depth to query:
|
sub |
|
Select whether or not to connect to the LDAP server(s) using an encrypted connection. Note: If your FortiMail unit is deployed in server mode, and you want to enable webmail-password-change {enable | disable} using an LDAP server that uses a Microsoft Active Directory-style schema, then you must select |
none |
|
Enter the fully qualified domain name (FQDN) or IP address of the LDAP server. |
|
|
Enter the maximum amount of time in seconds that the FortiMail unit will wait for query responses from the LDAP server. |
10 |
|
An unauthenticated bind is a bind where the user supplies a user name with no password. Some LDAP servers (such as Active Directory) allow unauthenticated bind by default. For better security, FortiMail does not accept empty password when doing LDAP authentication even if the backend LDAP server allows it. In some cases, such as allowing all members of a distribution list to access their quarantined email in gateway and transparent mode, this option needs to be enabled in the LDAP profile, so that FortiMail can accept LDAP authentication requests with empty password (user name must not be empty), and forward such requests to the back-end LDAP server. If unauthenticated bind is permitted by the LDAP server, AND if the user exists on the server, FortiMail will consider authentication successful and grant access to the user. It is highly recommended that a dedicated LDAP profile (with this option enabled) is used for the above case. All other users should use separate LDAP profiles with this option disabled (this is the default setting) to maintain maximum security. Note: This option is available in CLI only. And it only takes effect for webmail access in gateway and transparent mode. |
disable |
|
If you want to use a UPN other than the mail domain, enter that UPN. This can be useful if users authenticate with a domain other than the mail server’s principal domain name. |
|
|
Enter the name of the attribute that has the user's display name. |
cn |
|
Enable to retrieve the user's display name for webmail. |
disable |
|
Enter the version of the protocol used to communicate with the LDAP server. |
ver3 |
|
Enable to perform password change queries for FortiMail webmail users. |
disable |
|
Enter one of the following to indicate the schema of your LDAP directory:
|
openldap |
Email address mapping
Address mappings are bidirectional, one-to-one or many-to-many mappings. They can be useful when:
- you want to hide a protected domain’s true email addresses from recipients
- a mail domain’s domain name is not globally DNS-resolvable, and you want to replace the domain name with one that is
- you want to rewrite email addresses
Like aliases, address mappings translate email addresses. They do not translate many email addresses into a single email address. However, unlike aliases:
- Mappings cannot translate one email address into many.
- Mappings cannot translate an email address into one that belongs to an unprotected domain (this restriction applies to locally defined address mappings only; it is not enforced for mappings defined on an LDAP server).
- Mappings are applied bidirectionally, when an email is outgoing as well as when it is incoming to the protected domain.
- Mappings may affect both sender and recipient email addresses, and may affect those email addresses in both the message envelope and the message header, depending on the match condition.
The following table illustrates the sequence in which parts of each email are compared with address mappings for a match, and which locations’ email addresses are translated if a match is found.
Both |
Match evaluation and rewrite behavior for email address mappings:
Order of evaluation |
Match condition |
If yes... |
Rewrite to... |
---|---|---|---|
1 |
Does |
Replace |
Internal email address |
2 |
Does |
For each of the following, if it matches an internal email address, replace it:
|
External email address |
For example, you could create an address mapping between the internal email address user1@marketing.example.net and the external email address sales@example.com. The following effects would be observable on the simplest case of an outgoing email and an incoming reply:
For email from user1@marketing.example.net to others: user1@marketing.example.net in both the message envelope (MAIL FROM:
) and many message headers (From:
, etc.) would then be replaced with sales@example.com. Recipients would only be aware of the email address sales@example.com.
For email to sales@example.com from others: The recipient address in the message envelope (RCPT TO:
), but not the message header (To:
), would be replaced with user1@marketing.example.net. user1@marketing.example.net would be aware that the sender had originally sent the email to the mapped address, sales@example.com.
Alternatively, you can configure an LDAP profile to query for email address mappings.