config user ldap
Description: Configure LDAP server entries.
edit <name>
set server {string}
set secondary-server {string}
set tertiary-server {string}
set server-identity-check [enable|disable]
set source-ip {ipv4-address}
set cnid {string}
set dn {string}
set type [simple|anonymous|...]
set two-factor [disable|fortitoken-cloud]
set two-factor-authentication [fortitoken|email|...]
set two-factor-notification [email|sms]
set username {string}
set password {password}
set group-member-check [user-attr|group-object|...]
set group-search-base {string}
set group-object-filter {string}
set group-filter {string}
set secure [disable|starttls|...]
set ssl-min-proto-version [default|SSLv3|...]
set ca-cert {string}
set port {integer}
set password-expiry-warning [enable|disable]
set password-renewal [enable|disable]
set member-attr {string}
set account-key-processing [same|strip]
set account-key-filter {string}
set search-type {option1}, {option2}, ...
set obtain-user-info [enable|disable]
set user-info-exchange-server {string}
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
server | LDAP server CN domain name or IP. | string | Maximum length: 63 |
secondary-server | Secondary LDAP server CN domain name or IP. | string | Maximum length: 63 |
tertiary-server | Tertiary LDAP server CN domain name or IP. | string | Maximum length: 63 |
server-identity-check | Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate). enable: Enable server identity check. disable: Disable server identity check. |
option | - |
source-ip | Source IP for communications to LDAP server. | ipv4-address | Not Specified |
cnid | Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". | string | Maximum length: 20 |
dn | Distinguished name used to look up entries on the LDAP server. | string | Maximum length: 511 |
type | Authentication type for LDAP searches. simple: Simple password authentication without search. anonymous: Bind using anonymous user search. regular: Bind using username/password and then search. |
option | - |
two-factor | Enable/disable two-factor authentication. disable: disable two-factor authentication. fortitoken-cloud: FortiToken Cloud Service. |
option | - |
two-factor-authentication | Authentication method by FortiToken Cloud. fortitoken: FortiToken authentication. email: Email one time password. sms: SMS one time password. |
option | - |
two-factor-notification | Notification method for user activation by FortiToken Cloud. email: Email notification for activation code. sms: SMS notification for activation code. |
option | - |
username | Username (full DN) for initial binding. | string | Maximum length: 511 |
password | Password for initial binding. | password | Not Specified |
group-member-check | Group member checking methods. user-attr: User attribute checking. group-object: Group object checking. posix-group-object: POSIX group object checking. |
option | - |
group-search-base | Search base used for group searching. | string | Maximum length: 511 |
group-object-filter | Filter used for group searching. | string | Maximum length: 2047 |
group-filter | Filter used for group matching. | string | Maximum length: 2047 |
secure | Port to be used for authentication. disable: No SSL. starttls: Use StartTLS. ldaps: Use LDAPS. |
option | - |
ssl-min-proto-version | Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting). default: Follow system global setting. SSLv3: SSLv3. TLSv1: TLSv1. TLSv1-1: TLSv1.1. TLSv1-2: TLSv1.2. |
option | - |
ca-cert | CA certificate name. | string | Maximum length: 79 |
port | Port to be used for communication with the LDAP server (default = 389). | integer | Minimum value: 1 Maximum value: 65535 |
password-expiry-warning | Enable/disable password expiry warnings. enable: Enable password expiry warnings. disable: Disable password expiry warnings. |
option | - |
password-renewal | Enable/disable online password renewal. enable: Enable online password renewal. disable: Disable online password renewal. |
option | - |
member-attr | Name of attribute from which to get group membership. | string | Maximum length: 63 |
account-key-processing | Account key processing operation, either keep or strip domain string of UPN in the token. same: Same as UPN. strip: Strip domain string from UPN. |
option | - |
account-key-filter | Account key filter, using the UPN as the search filter. | string | Maximum length: 2047 |
search-type | Search type. recursive: Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain. |
option | - |
obtain-user-info | Enable/disable obtaining of user information. enable: Enable obtaining of user information. disable: Disable obtaining of user information. |
option | - |
user-info-exchange-server | MS Exchange server from which to fetch user information. | string | Maximum length: 35 |
config user ldap
Description: Configure LDAP server entries.
edit <name>
set server {string}
set secondary-server {string}
set tertiary-server {string}
set server-identity-check [enable|disable]
set source-ip {ipv4-address}
set cnid {string}
set dn {string}
set type [simple|anonymous|...]
set two-factor [disable|fortitoken-cloud]
set two-factor-authentication [fortitoken|email|...]
set two-factor-notification [email|sms]
set username {string}
set password {password}
set group-member-check [user-attr|group-object|...]
set group-search-base {string}
set group-object-filter {string}
set group-filter {string}
set secure [disable|starttls|...]
set ssl-min-proto-version [default|SSLv3|...]
set ca-cert {string}
set port {integer}
set password-expiry-warning [enable|disable]
set password-renewal [enable|disable]
set member-attr {string}
set account-key-processing [same|strip]
set account-key-filter {string}
set search-type {option1}, {option2}, ...
set obtain-user-info [enable|disable]
set user-info-exchange-server {string}
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
server | LDAP server CN domain name or IP. | string | Maximum length: 63 |
secondary-server | Secondary LDAP server CN domain name or IP. | string | Maximum length: 63 |
tertiary-server | Tertiary LDAP server CN domain name or IP. | string | Maximum length: 63 |
server-identity-check | Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate). enable: Enable server identity check. disable: Disable server identity check. |
option | - |
source-ip | Source IP for communications to LDAP server. | ipv4-address | Not Specified |
cnid | Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". | string | Maximum length: 20 |
dn | Distinguished name used to look up entries on the LDAP server. | string | Maximum length: 511 |
type | Authentication type for LDAP searches. simple: Simple password authentication without search. anonymous: Bind using anonymous user search. regular: Bind using username/password and then search. |
option | - |
two-factor | Enable/disable two-factor authentication. disable: disable two-factor authentication. fortitoken-cloud: FortiToken Cloud Service. |
option | - |
two-factor-authentication | Authentication method by FortiToken Cloud. fortitoken: FortiToken authentication. email: Email one time password. sms: SMS one time password. |
option | - |
two-factor-notification | Notification method for user activation by FortiToken Cloud. email: Email notification for activation code. sms: SMS notification for activation code. |
option | - |
username | Username (full DN) for initial binding. | string | Maximum length: 511 |
password | Password for initial binding. | password | Not Specified |
group-member-check | Group member checking methods. user-attr: User attribute checking. group-object: Group object checking. posix-group-object: POSIX group object checking. |
option | - |
group-search-base | Search base used for group searching. | string | Maximum length: 511 |
group-object-filter | Filter used for group searching. | string | Maximum length: 2047 |
group-filter | Filter used for group matching. | string | Maximum length: 2047 |
secure | Port to be used for authentication. disable: No SSL. starttls: Use StartTLS. ldaps: Use LDAPS. |
option | - |
ssl-min-proto-version | Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting). default: Follow system global setting. SSLv3: SSLv3. TLSv1: TLSv1. TLSv1-1: TLSv1.1. TLSv1-2: TLSv1.2. |
option | - |
ca-cert | CA certificate name. | string | Maximum length: 79 |
port | Port to be used for communication with the LDAP server (default = 389). | integer | Minimum value: 1 Maximum value: 65535 |
password-expiry-warning | Enable/disable password expiry warnings. enable: Enable password expiry warnings. disable: Disable password expiry warnings. |
option | - |
password-renewal | Enable/disable online password renewal. enable: Enable online password renewal. disable: Disable online password renewal. |
option | - |
member-attr | Name of attribute from which to get group membership. | string | Maximum length: 63 |
account-key-processing | Account key processing operation, either keep or strip domain string of UPN in the token. same: Same as UPN. strip: Strip domain string from UPN. |
option | - |
account-key-filter | Account key filter, using the UPN as the search filter. | string | Maximum length: 2047 |
search-type | Search type. recursive: Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain. |
option | - |
obtain-user-info | Enable/disable obtaining of user information. enable: Enable obtaining of user information. disable: Disable obtaining of user information. |
option | - |
user-info-exchange-server | MS Exchange server from which to fetch user information. | string | Maximum length: 35 |