Fortinet black logo

CLI Reference

user ldap-user

user ldap-user

Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via an LDAP server.

To apply LDAP queries to end users, select a query in a user group that is then selected within an authentication rule, which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile used for web protection. For details, see user user-group.

To apply LDAP queries to administrators, select a query in an admin group and reference that group in a system administrator configuration. For details, see user admin-usergrp.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user ldap-user

edit "<ldap-query_name>"

set bind-type {anonymous | simple | regular}

set common-name-id "<cn-attribute_str>"

set distinguished-name "<search-dn_str>"

set filter "<query-filter_str>"

set group_authentication {enable | disable}

set group_dn "<group-dn_str>"

set group-type {edirectory | open-ldap | windows-ad}

set password "<bind-password_str>"

set port <port_int>

set protocol {ldaps | starttls}

set server "<ldap_ipv4_domain>"

set ssl-connection {enable | disable}

set username "<bind-dn_str>"

next

end


Variable Description Default

"<ldap-query_name>"

Enter the name of the LDAP user query. The maximum length is 63 characters.

To display the list of existing queries, enter:

edit ?

No default.

bind-type {anonymous | simple | regular}

Select one of the following LDAP query binding styles:

simple

common-name-id "<cn-attribute_str>"

Enter the identifier, often cn, for the common name (CN) attribute whose value is the user name. The maximum length is 63 characters.

Identifiers may vary by your LDAP directory’s schema.

No default.

distinguished-name "<search-dn_str>"

Enter the distinguished name (DN) such as ou=People,dc=example,dc=com, that, when prefixed with the common name, forms the full path in the directory to user account objects. The maximum length is 256 characters. No default.

filter "<query-filter_str>"

Enter an LDAP query filter string, if any, that will be used to filter out results from the query’s results based upon any attribute in the record set. The maximum length is 256 characters.

This option is valid only when bind-type {anonymous | simple | regular} is regular.

No default.

group_authentication {enable | disable}

Enable to only include users that are members of an LDAP group. Also configure group-type {edirectory | open-ldap | windows-ad} and group_dn "<group-dn_str>".

This option is valid only when bind-type {anonymous | simple | regular} is regular.

enable

group_dn "<group-dn_str>"

Enter the distinguished name of the LDAP user group, such as ou=Groups,dc=example,dc=com. The maximum length is 256 characters.

This option is valid only when group_authentication {enable | disable} is enabled.

No default.

group-type {edirectory | open-ldap | windows-ad}

Select the schema that matches your server’s LDAP directory.

Group membership attributes may have different names depending on an LDAP directory schemas. The FortiWeb appliance will use the group membership attribute that matches your directory’s schema when querying the group DN.

This option is valid only when group_authentication {enable | disable} is enabled.

open-ldap

password "<bind-password_str>"

Enter the password of the username "<bind-dn_str>". The maximum length is 63 characters.

This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is anonymous or simple.

No default.

port <port_int>

Enter the port number where the LDAP server listens. The valid range is 1–65535.

The default port number varies by your selection in ssl-connection {enable | disable}; port 389 is typically used for non-secure connections or for STARTTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

389

protocol {ldaps | starttls}

Select whether to secure the LDAP query using LDAPS or STARTTLS. You may need to reconfigure port <port_int> to correspond to the change in protocol.

This field is applicable only if ssl-connection {enable | disable} is enable.

ldaps

server "<ldap_ipv4_domain>"

Type the server IP or domain address of the LDAP server. 0.0.0.0

ssl-connection {enable | disable}

Enable to connect to the LDAP servers using an encrypted connection, then select the style of the encryption in protocol {ldaps | starttls}. enable

username "<bind-dn_str>"

Enter the bind DN, such as cn=FortiWebA,dc=example,dc=com, of an LDAP user account with permissions to query the distinguished-name "<search-dn_str>". The maximum length is 256 characters.

This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is anonymous or simple.

No default.

Example

This example configures an LDAP user query to the server at 192.0.2.100 on port 389. SSL and TLS are disabled. To bind the query, the FortiWeb appliance will use the bind DN cn=Manager,dc=example,dc=com, whose password is mySecretPassword. Once connected and bound, the query for search for user objects in ou=People,dc=example,dc=com, comparing the user name supplied by the HTTP client to the value of each object’s cn attribute. Group authentication is disabled.

config user ldap-user

edit "ldap-user1"

set server "192.0.2.100"

set ssl-connection disable

set port 389

set common-name-id "cn"

set distinguished-name "ou=People,dc=example,dc=com"

set bind-type regular

set username "cn=Manager,dc=example,dc=com"

set password "mySecretPassword"

set group-authentication disable

next

end

Related topics

user ldap-user

Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via an LDAP server.

To apply LDAP queries to end users, select a query in a user group that is then selected within an authentication rule, which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile used for web protection. For details, see user user-group.

To apply LDAP queries to administrators, select a query in an admin group and reference that group in a system administrator configuration. For details, see user admin-usergrp.

To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

Syntax

config user ldap-user

edit "<ldap-query_name>"

set bind-type {anonymous | simple | regular}

set common-name-id "<cn-attribute_str>"

set distinguished-name "<search-dn_str>"

set filter "<query-filter_str>"

set group_authentication {enable | disable}

set group_dn "<group-dn_str>"

set group-type {edirectory | open-ldap | windows-ad}

set password "<bind-password_str>"

set port <port_int>

set protocol {ldaps | starttls}

set server "<ldap_ipv4_domain>"

set ssl-connection {enable | disable}

set username "<bind-dn_str>"

next

end


Variable Description Default

"<ldap-query_name>"

Enter the name of the LDAP user query. The maximum length is 63 characters.

To display the list of existing queries, enter:

edit ?

No default.

bind-type {anonymous | simple | regular}

Select one of the following LDAP query binding styles:

simple

common-name-id "<cn-attribute_str>"

Enter the identifier, often cn, for the common name (CN) attribute whose value is the user name. The maximum length is 63 characters.

Identifiers may vary by your LDAP directory’s schema.

No default.

distinguished-name "<search-dn_str>"

Enter the distinguished name (DN) such as ou=People,dc=example,dc=com, that, when prefixed with the common name, forms the full path in the directory to user account objects. The maximum length is 256 characters. No default.

filter "<query-filter_str>"

Enter an LDAP query filter string, if any, that will be used to filter out results from the query’s results based upon any attribute in the record set. The maximum length is 256 characters.

This option is valid only when bind-type {anonymous | simple | regular} is regular.

No default.

group_authentication {enable | disable}

Enable to only include users that are members of an LDAP group. Also configure group-type {edirectory | open-ldap | windows-ad} and group_dn "<group-dn_str>".

This option is valid only when bind-type {anonymous | simple | regular} is regular.

enable

group_dn "<group-dn_str>"

Enter the distinguished name of the LDAP user group, such as ou=Groups,dc=example,dc=com. The maximum length is 256 characters.

This option is valid only when group_authentication {enable | disable} is enabled.

No default.

group-type {edirectory | open-ldap | windows-ad}

Select the schema that matches your server’s LDAP directory.

Group membership attributes may have different names depending on an LDAP directory schemas. The FortiWeb appliance will use the group membership attribute that matches your directory’s schema when querying the group DN.

This option is valid only when group_authentication {enable | disable} is enabled.

open-ldap

password "<bind-password_str>"

Enter the password of the username "<bind-dn_str>". The maximum length is 63 characters.

This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is anonymous or simple.

No default.

port <port_int>

Enter the port number where the LDAP server listens. The valid range is 1–65535.

The default port number varies by your selection in ssl-connection {enable | disable}; port 389 is typically used for non-secure connections or for STARTTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

389

protocol {ldaps | starttls}

Select whether to secure the LDAP query using LDAPS or STARTTLS. You may need to reconfigure port <port_int> to correspond to the change in protocol.

This field is applicable only if ssl-connection {enable | disable} is enable.

ldaps

server "<ldap_ipv4_domain>"

Type the server IP or domain address of the LDAP server. 0.0.0.0

ssl-connection {enable | disable}

Enable to connect to the LDAP servers using an encrypted connection, then select the style of the encryption in protocol {ldaps | starttls}. enable

username "<bind-dn_str>"

Enter the bind DN, such as cn=FortiWebA,dc=example,dc=com, of an LDAP user account with permissions to query the distinguished-name "<search-dn_str>". The maximum length is 256 characters.

This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is anonymous or simple.

No default.

Example

This example configures an LDAP user query to the server at 192.0.2.100 on port 389. SSL and TLS are disabled. To bind the query, the FortiWeb appliance will use the bind DN cn=Manager,dc=example,dc=com, whose password is mySecretPassword. Once connected and bound, the query for search for user objects in ou=People,dc=example,dc=com, comparing the user name supplied by the HTTP client to the value of each object’s cn attribute. Group authentication is disabled.

config user ldap-user

edit "ldap-user1"

set server "192.0.2.100"

set ssl-connection disable

set port 389

set common-name-id "cn"

set distinguished-name "ou=People,dc=example,dc=com"

set bind-type regular

set username "cn=Manager,dc=example,dc=com"

set password "mySecretPassword"

set group-authentication disable

next

end

Related topics