Fortinet white logo
Fortinet white logo

LDAP authentication

LDAP authentication

You can add, update, and delete LDAP authentication settings.

Add LDAP authentication settings

  1. Select ldap from the Auth Server Settings tree.
  2. Right-click in the LDAP authentication table and select Create New.
  3. Enter values in the relevant fields. See LDAP authentication fields.
  4. Select Save.

Update LDAP authentication settings

  1. Select ldap from the Auth Server Settings tree.
  2. Right-click an LDAP server and select Edit.
  3. Update the values that you want to change.
  4. Select Save.

Delete LDAP authentication settings

  1. Select ldap from the Auth Server Settings tree.
  2. Right-click an LDAP server and select Delete.
  3. Select Yes in the confirmation dialog box to delete the selected server.

LDAP authentication fields

The Create New user-ldap and Edit user-ldap forms contain the following fields:

Settings

Guidelines

Name

Required. The LDAP server name.

Account Key Filter

Account key filter, using the user principal name (UPN) as the search filter.

Account Key Processing

Account key processing operation, either to keep or to strip the domain string of the UPN in the token:

same—Same as the UPN.

strip—Strip the domain string from UPN.

CA-Cert

CA certificate name.

CN ID

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is cn.

Distinguished Name

Required. Distinguished name used to look up entries on the LDAP server.

Group Filter

The filter used for group matching.

Group Member Check

Group member checking methods:

user-attr—User attribute checking.

group-object—Group object checking.

posix-group-object—POSIX group object checking.

Group Object Filter

The filter used for group searching.

Group Search Base

The search base used for group searching.

Member Attribute

The name of the attribute from which to get group membership.

Password

The password for initial binding.

Enable Password Expiry Warning

Enable or disable warnings before the password expires.

Password Renewal

Enable or disable online password renewal.

Port

The port to be used for communication with the LDAP server. The default is 389.

Secondary Server

The CN domain name or IP address of the secondary LDAP server.

Secure

The security protocol to be used for authentication:

starttls—Use StartTLS.

disable—No SSL.

ldaps—Use LDAPS.

Server

Required. The CN domain name or IP address of the LDAP server.

Server Identity Check

Enable or disable whether the server identity is checked.

IP

The source IPv4 address for communications to LDAP server.

SSL_MIN_Protocol Version

The minimum supported protocol version for SSL/TLS connections.

SSLv3—SSLv3.

default—Follow system global setting.

TLSv1—TLSv1.

TLSv1-2—TLSv1.2.
TLSv1-1—TLSv1.1.

Tertiary Server

The CN domain name or IP address of the tertiary LDAP server.

Type

Authentication type for LDAP searches:

anonymous—Bind using anonymous user search.

simple—Simple password authentication without search.

regular—Bind using user name and password and then search.

Username

User name (full DN) for initial binding.

LDAP authentication

LDAP authentication

You can add, update, and delete LDAP authentication settings.

Add LDAP authentication settings

  1. Select ldap from the Auth Server Settings tree.
  2. Right-click in the LDAP authentication table and select Create New.
  3. Enter values in the relevant fields. See LDAP authentication fields.
  4. Select Save.

Update LDAP authentication settings

  1. Select ldap from the Auth Server Settings tree.
  2. Right-click an LDAP server and select Edit.
  3. Update the values that you want to change.
  4. Select Save.

Delete LDAP authentication settings

  1. Select ldap from the Auth Server Settings tree.
  2. Right-click an LDAP server and select Delete.
  3. Select Yes in the confirmation dialog box to delete the selected server.

LDAP authentication fields

The Create New user-ldap and Edit user-ldap forms contain the following fields:

Settings

Guidelines

Name

Required. The LDAP server name.

Account Key Filter

Account key filter, using the user principal name (UPN) as the search filter.

Account Key Processing

Account key processing operation, either to keep or to strip the domain string of the UPN in the token:

same—Same as the UPN.

strip—Strip the domain string from UPN.

CA-Cert

CA certificate name.

CN ID

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is cn.

Distinguished Name

Required. Distinguished name used to look up entries on the LDAP server.

Group Filter

The filter used for group matching.

Group Member Check

Group member checking methods:

user-attr—User attribute checking.

group-object—Group object checking.

posix-group-object—POSIX group object checking.

Group Object Filter

The filter used for group searching.

Group Search Base

The search base used for group searching.

Member Attribute

The name of the attribute from which to get group membership.

Password

The password for initial binding.

Enable Password Expiry Warning

Enable or disable warnings before the password expires.

Password Renewal

Enable or disable online password renewal.

Port

The port to be used for communication with the LDAP server. The default is 389.

Secondary Server

The CN domain name or IP address of the secondary LDAP server.

Secure

The security protocol to be used for authentication:

starttls—Use StartTLS.

disable—No SSL.

ldaps—Use LDAPS.

Server

Required. The CN domain name or IP address of the LDAP server.

Server Identity Check

Enable or disable whether the server identity is checked.

IP

The source IPv4 address for communications to LDAP server.

SSL_MIN_Protocol Version

The minimum supported protocol version for SSL/TLS connections.

SSLv3—SSLv3.

default—Follow system global setting.

TLSv1—TLSv1.

TLSv1-2—TLSv1.2.
TLSv1-1—TLSv1.1.

Tertiary Server

The CN domain name or IP address of the tertiary LDAP server.

Type

Authentication type for LDAP searches:

anonymous—Bind using anonymous user search.

simple—Simple password authentication without search.

regular—Bind using user name and password and then search.

Username

User name (full DN) for initial binding.