user ldap-user
Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via an LDAP server.
To apply LDAP queries to end users, select a query in a user group that is then selected within an authentication rule, which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile used for web protection. For details, see user user-group.
To apply LDAP queries to administrators, select a query in an admin group and reference that group in a system administrator configuration. For details, see user admin-usergrp.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the authusergrp
area. For details, see Permissions.
Syntax
config user ldap-user
edit "<ldap-query_name>"
set bind-type {anonymous | simple | regular}
set common-name-id "<cn-attribute_str>"
set distinguished-name "<search-dn_str>"
set filter "<query-filter_str>"
set group_authentication {enable | disable}
set group-type {edirectory | open-ldap | windows-ad}
set password "<bind-password_str>"
set port <port_int>
set protocol {ldaps | starttls}
set server "<ldap_ipv4_domain>"
set ssl-connection {enable | disable}
next
end
Variable | Description | Default |
Enter the name of the LDAP user query. The maximum length is 63 characters. To display the list of existing queries, enter:
|
No default. | |
Select one of the following LDAP query binding styles:
|
simple
|
|
Enter the identifier, often Identifiers may vary by your LDAP directory’s schema. |
No default. | |
Enter the distinguished name (DN) such as ou=People,dc=example,dc=com , that, when prefixed with the common name, forms the full path in the directory to user account objects. The maximum length is 256 characters. |
No default. | |
Enter an LDAP query filter string, if any, that will be used to filter out results from the query’s results based upon any attribute in the record set. The maximum length is 256 characters. This option is valid only when bind-type {anonymous | simple | regular} is |
No default. | |
Enable to only include users that are members of an LDAP group. Also configure group-type {edirectory | open-ldap | windows-ad} and group_dn "<group-dn_str>". This option is valid only when bind-type {anonymous | simple | regular} is |
enable
|
|
Enter the distinguished name of the LDAP user group, such as This option is valid only when group_authentication {enable | disable} is enabled. |
No default. | |
Select the schema that matches your server’s LDAP directory. Group membership attributes may have different names depending on an LDAP directory schemas. The FortiWeb appliance will use the group membership attribute that matches your directory’s schema when querying the group DN. This option is valid only when group_authentication {enable | disable} is enabled. |
open-ldap
|
|
Enter the password of the username "<bind-dn_str>". The maximum length is 63 characters. This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is |
No default. | |
Enter the port number where the LDAP server listens. The valid range is 1–65535. The default port number varies by your selection in ssl-connection {enable | disable}; port 389 is typically used for non-secure connections or for STARTTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections. |
389
|
|
Select whether to secure the LDAP query using LDAPS or STARTTLS. You may need to reconfigure port <port_int> to correspond to the change in protocol. This field is applicable only if ssl-connection {enable | disable} is |
ldaps
|
|
Type the server IP or domain address of the LDAP server. |
0.0.0.0
|
|
Enable to connect to the LDAP servers using an encrypted connection, then select the style of the encryption in protocol {ldaps | starttls}. |
enable
|
|
Enter the bind DN, such as This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is |
No default. |
Example
This example configures an LDAP user query to the server at 192.0.2.100
on port 389
. SSL and TLS are disabled. To bind the query, the FortiWeb appliance will use the bind DN cn=Manager,dc=example,dc=com
, whose password is mySecretPassword
. Once connected and bound, the query for search for user objects in ou=People,dc=example,dc=com
, comparing the user name supplied by the HTTP client to the value of each object’s cn
attribute. Group authentication is disabled.
config user ldap-user
edit "ldap-user1"
set server "192.0.2.100"
set ssl-connection disable
set port 389
set common-name-id "cn"
set distinguished-name "ou=People,dc=example,dc=com"
set bind-type regular
set username "cn=Manager,dc=example,dc=com"
set password "mySecretPassword"
set group-authentication disable
next
end