Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.2.4 CLI Reference
    7.2.4
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    user ldap-user

    user ldap-user

    Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via an LDAP server.

    To apply LDAP queries to end users, select a query in a user group that is then selected within an authentication rule, which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile used for web protection. For details, see user user-group.

    To apply LDAP queries to administrators, select a query in an admin group and reference that group in a system administrator configuration. For details, see user admin-usergrp.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

    Syntax

    config user ldap-user

    edit "<ldap-query_name>"

    set bind-type {anonymous | simple | regular}

    set common-name-id "<cn-attribute_str>"

    set distinguished-name "<search-dn_str>"

    set filter "<query-filter_str>"

    set group_authentication {enable | disable}

    set group_dn "<group-dn_str>"

    set group-type {edirectory | open-ldap | windows-ad}

    set password "<bind-password_str>"

    set port <port_int>

    set protocol {ldaps | starttls}

    set server "<ldap_ipv4_domain>"

    set ssl-connection {enable | disable}

    set ca-cert <ca_name>

    set username "<bind-dn_str>"

    next

    end


    Variable Description Default

    "<ldap-query_name>"

    Enter the name of the LDAP user query. The maximum length is 63 characters.

    To display the list of existing queries, enter:

    edit ?

    		No default.

    bind-type {anonymous | simple | regular}

    Select one of the following LDAP query binding styles:

    		 simple

    common-name-id "<cn-attribute_str>"

    Enter the identifier, often cn, for the common name (CN) attribute whose value is the user name. The maximum length is 63 characters.

    Identifiers may vary by your LDAP directory’s schema.

    		 No default.

    distinguished-name "<search-dn_str>"

    		 Enter the distinguished name (DN) such as ou=People,dc=example,dc=com, that, when prefixed with the common name, forms the full path in the directory to user account objects. The maximum length is 256 characters. No default.

    filter "<query-filter_str>"

    Enter an LDAP query filter string, if any, that will be used to filter out results from the query’s results based upon any attribute in the record set. The maximum length is 256 characters.

    This option is valid only when bind-type {anonymous | simple | regular} is regular.

    		 No default.

    group_authentication {enable | disable}

    Enable to only include users that are members of an LDAP group. Also configure group-type {edirectory | open-ldap | windows-ad} and group_dn "<group-dn_str>".

    This option is valid only when bind-type {anonymous | simple | regular} is regular.

    		 enable

    group_dn "<group-dn_str>"

    Enter the distinguished name of the LDAP user group, such as ou=Groups,dc=example,dc=com. The maximum length is 256 characters.

    This option is valid only when group_authentication {enable | disable} is enabled.

    		 No default.

    group-type {edirectory | open-ldap | windows-ad}

    Select the schema that matches your server’s LDAP directory.

    Group membership attributes may have different names depending on an LDAP directory schemas. The FortiWeb appliance will use the group membership attribute that matches your directory’s schema when querying the group DN.

    This option is valid only when group_authentication {enable | disable} is enabled.

    		 open-ldap

    password "<bind-password_str>"

    Enter the password of the username "<bind-dn_str>". The maximum length is 63 characters.

    This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is anonymous or simple.

    		 No default.

    port <port_int>

    Enter the port number where the LDAP server listens. The valid range is 1–65535.

    The default port number varies by your selection in ssl-connection {enable | disable}; port 389 is typically used for non-secure connections or for STARTTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

    		 389

    protocol {ldaps | starttls}

    Select whether to secure the LDAP query using LDAPS or STARTTLS. You may need to reconfigure port <port_int> to correspond to the change in protocol.

    This field is applicable only if ssl-connection {enable | disable} is enable.

    		 ldaps

    server "<ldap_ipv4_domain>"

    		 Type the server IP or domain address of the LDAP server. 0.0.0.0

    ssl-connection {enable | disable}

    		 Enable to connect to the LDAP servers using an encrypted connection, then select the style of the encryption in protocol {ldaps | starttls}. enable

    ca-cert <ca_name>

    Enter the name of the certificate so the FortiWeb will only accept a certificate from the LDAP server that is signed by this CA.

    Only available when ssl-connection is enabled.

    No default.

    username "<bind-dn_str>"

    Enter the bind DN, such as cn=FortiWebA,dc=example,dc=com, of an LDAP user account with permissions to query the distinguished-name "<search-dn_str>". The maximum length is 256 characters.

    This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is anonymous or simple.

    		 No default.

    Example

    This example configures an LDAP user query to the server at 192.0.2.100 on port 389. SSL and TLS are disabled. To bind the query, the FortiWeb appliance will use the bind DN cn=Manager,dc=example,dc=com, whose password is mySecretPassword. Once connected and bound, the query for search for user objects in ou=People,dc=example,dc=com, comparing the user name supplied by the HTTP client to the value of each object’s cn attribute. Group authentication is disabled.

    config user ldap-user

    edit "ldap-user1"

    set server "192.0.2.100"

    set ssl-connection disable

    set port 389

    set common-name-id "cn"

    set distinguished-name "ou=People,dc=example,dc=com"

    set bind-type regular

    set username "cn=Manager,dc=example,dc=com"

    set password "mySecretPassword"

    set group-authentication disable

    next

    end

    Related topics

    Previous
    Next

    user ldap-user

    user ldap-user

    Use this command to configure queries that can be used for remote authentication of either FortiWeb administrators or end users via an LDAP server.

    To apply LDAP queries to end users, select a query in a user group that is then selected within an authentication rule, which is in turn selected within an authentication policy, which is ultimately selected within an inline protection profile used for web protection. For details, see user user-group.

    To apply LDAP queries to administrators, select a query in an admin group and reference that group in a system administrator configuration. For details, see user admin-usergrp.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

    Syntax

    config user ldap-user

    edit "<ldap-query_name>"

    set bind-type {anonymous | simple | regular}

    set common-name-id "<cn-attribute_str>"

    set distinguished-name "<search-dn_str>"

    set filter "<query-filter_str>"

    set group_authentication {enable | disable}

    set group_dn "<group-dn_str>"

    set group-type {edirectory | open-ldap | windows-ad}

    set password "<bind-password_str>"

    set port <port_int>

    set protocol {ldaps | starttls}

    set server "<ldap_ipv4_domain>"

    set ssl-connection {enable | disable}

    set ca-cert <ca_name>

    set username "<bind-dn_str>"

    next

    end


    Variable Description Default

    "<ldap-query_name>"

    Enter the name of the LDAP user query. The maximum length is 63 characters.

    To display the list of existing queries, enter:

    edit ?

    		No default.

    bind-type {anonymous | simple | regular}

    Select one of the following LDAP query binding styles:

    		 simple

    common-name-id "<cn-attribute_str>"

    Enter the identifier, often cn, for the common name (CN) attribute whose value is the user name. The maximum length is 63 characters.

    Identifiers may vary by your LDAP directory’s schema.

    		 No default.

    distinguished-name "<search-dn_str>"

    		 Enter the distinguished name (DN) such as ou=People,dc=example,dc=com, that, when prefixed with the common name, forms the full path in the directory to user account objects. The maximum length is 256 characters. No default.

    filter "<query-filter_str>"

    Enter an LDAP query filter string, if any, that will be used to filter out results from the query’s results based upon any attribute in the record set. The maximum length is 256 characters.

    This option is valid only when bind-type {anonymous | simple | regular} is regular.

    		 No default.

    group_authentication {enable | disable}

    Enable to only include users that are members of an LDAP group. Also configure group-type {edirectory | open-ldap | windows-ad} and group_dn "<group-dn_str>".

    This option is valid only when bind-type {anonymous | simple | regular} is regular.

    		 enable

    group_dn "<group-dn_str>"

    Enter the distinguished name of the LDAP user group, such as ou=Groups,dc=example,dc=com. The maximum length is 256 characters.

    This option is valid only when group_authentication {enable | disable} is enabled.

    		 No default.

    group-type {edirectory | open-ldap | windows-ad}

    Select the schema that matches your server’s LDAP directory.

    Group membership attributes may have different names depending on an LDAP directory schemas. The FortiWeb appliance will use the group membership attribute that matches your directory’s schema when querying the group DN.

    This option is valid only when group_authentication {enable | disable} is enabled.

    		 open-ldap

    password "<bind-password_str>"

    Enter the password of the username "<bind-dn_str>". The maximum length is 63 characters.

    This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is anonymous or simple.

    		 No default.

    port <port_int>

    Enter the port number where the LDAP server listens. The valid range is 1–65535.

    The default port number varies by your selection in ssl-connection {enable | disable}; port 389 is typically used for non-secure connections or for STARTTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

    		 389

    protocol {ldaps | starttls}

    Select whether to secure the LDAP query using LDAPS or STARTTLS. You may need to reconfigure port <port_int> to correspond to the change in protocol.

    This field is applicable only if ssl-connection {enable | disable} is enable.

    		 ldaps

    server "<ldap_ipv4_domain>"

    		 Type the server IP or domain address of the LDAP server. 0.0.0.0

    ssl-connection {enable | disable}

    		 Enable to connect to the LDAP servers using an encrypted connection, then select the style of the encryption in protocol {ldaps | starttls}. enable

    ca-cert <ca_name>

    Enter the name of the certificate so the FortiWeb will only accept a certificate from the LDAP server that is signed by this CA.

    Only available when ssl-connection is enabled.

    No default.

    username "<bind-dn_str>"

    Enter the bind DN, such as cn=FortiWebA,dc=example,dc=com, of an LDAP user account with permissions to query the distinguished-name "<search-dn_str>". The maximum length is 256 characters.

    This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type {anonymous | simple | regular} is anonymous or simple.

    		 No default.

    Example

    This example configures an LDAP user query to the server at 192.0.2.100 on port 389. SSL and TLS are disabled. To bind the query, the FortiWeb appliance will use the bind DN cn=Manager,dc=example,dc=com, whose password is mySecretPassword. Once connected and bound, the query for search for user objects in ou=People,dc=example,dc=com, comparing the user name supplied by the HTTP client to the value of each object’s cn attribute. Group authentication is disabled.

    config user ldap-user

    edit "ldap-user1"

    set server "192.0.2.100"

    set ssl-connection disable

    set port 389

    set common-name-id "cn"

    set distinguished-name "ou=People,dc=example,dc=com"

    set bind-type regular

    set username "cn=Manager,dc=example,dc=com"

    set password "mySecretPassword"

    set group-authentication disable

    next

    end

    Related topics

    Previous
    Next