config profile ldap
Use this command to configure LDAP profiles which can query LDAP servers for authentication.
Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. |
Each LDAP profile contains queries that retrieve configuration data from an LDAP server, such as user groups.
Syntax
config profile ldap edit <profile_name> set auth-bind-dn {cnid | none | searchuser | upn} set authstate {enable | disable} set base-dn <basedn_str> set bind-dn <binddn_str> set bind-password <bindpw_str> set cache-state {enable | disable} set cache-ttl <ttl_int> set cnid-name <cnid_str> set dereferencing {never | always | search | find} set fallback-port <port_int> set fallback-server {<fqdn_str> | <server_ipv4>} set port <port_int> set query <query_str> set scope {base | one | sub} set secure {none | ssl} set server <name_str> set timeout <timeout_int> set unauth-bind {enable | disable} set upn-suffix <upns_str> set version {ver2 | ver3} end
Variable |
Description |
Default |
---|---|---|
|
Name of the LDAP profile. |
|
|
|
|
|
Enable to perform user authentication queries. |
|
|
The DN of the part of the LDAP directory tree where FortiNDR searches for user objects, such as User objects must be child nodes of this location. |
|
|
The bind DN of an LDAP user account with permissions to query the This command is optional if your LDAP server does not require FortiNDR to authenticate when performing queries and you have enabled |
|
|
The password of |
|
|
Enable to cache LDAP query results. Caching LDAP queries can reduce LDAP network traffic when there are frequent queries for information that does not change. However, caching might cause a delay from the time you update LDAP directory information and when FortiNDR begins using that new information. If you enable this option but queries are not cached, check the TTL value. A TTL value of 0 effectively disables caching. |
|
|
The amount of time, in minutes, that FortiNDR caches query results. After the time has elapsed, cached results expire and subsequent requests for that information requires FortiNDR to query the LDAP server and refresh the cache. The default TTL value is 1440 minutes (one day). The maximum is 10080 minutes (one week). A value of 0 effectively disables caching. |
|
|
Name of the user objects’ common name attribute, such as |
|
|
Method of de-referencing attributes whose values are references.
|
|
|
If you have configured a backup LDAP server that listens on a nonstandard port, enter the TCP port number. The standard port for LDAP is 389. The standard port for SSL-secured LDAP is 636. If |
|
|
The FQDN or IP address of the backup LDAP server. If there is no fallback server, enter an empty string (''). |
|
|
If you have configured a backup LDAP server that listens on a nonstandard port, enter the TCP port number. The standard port for LDAP is 389. The standard port for SSL-secured LDAP is 636. |
|
|
An LDAP query filter, enclosed in single quotes ('), that selects a set of user objects from the LDAP directory. The query filter string filters the result set based on attributes common to all user objects and excludes non-user objects. For example, if user objects in your directory have two characteristics, the (& (objectClass=inetOrgPerson) (mail=$m)) where This command applies to user defined schema only. For details on query syntax, see any standard LDAP query filter reference manual. |
|
|
The level of depth to query:
|
|
|
Whether to connect to LDAP servers using an encrypted connection:
|
|
|
The FQDN or IP address of the LDAP server. |
|
|
The maximum length of time in seconds that FortiNDR waits for query responses from the LDAP server. |
|
|
Enable to perform queries in this profile without supplying a bind DN and password for the directory search. Many LDAP servers require LDAP queries to be authenticated using a bind DN and password. If your LDAP server does not require FortiNDR to authenticate before performing queries, you might enable this option. If this option is disabled, you must configure |
|
|
If you want to use a UPN other than the mail domain, enter that UPN. This is useful if users authenticate with a domain other than the mail server’s principal domain name. |
|
|
The protocol version used to communicate with the LDAP server. |
|