Fortinet white logo
Fortinet white logo

CLI Reference

config user ldap

config user ldap

Configure LDAP server entries.

config user ldap
    Description: Configure LDAP server entries.
    edit <name>
        set account-key-cert-field [othername|rfc822name|...]
        set account-key-filter {string}
        set account-key-processing [same|strip]
        set antiphish [enable|disable]
        set ca-cert {string}
        set client-cert {string}
        set client-cert-auth [enable|disable]
        set cnid {string}
        set dn {string}
        set group-filter {string}
        set group-member-check [user-attr|group-object|...]
        set group-object-filter {string}
        set group-search-base {string}
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set member-attr {string}
        set obtain-user-info [enable|disable]
        set password {password}
        set password-attr {string}
        set password-expiry-warning [enable|disable]
        set password-renewal [enable|disable]
        set port {integer}
        set search-type {option1}, {option2}, ...
        set secondary-server {string}
        set secure [disable|starttls|...]
        set server {string}
        set server-identity-check [enable|disable]
        set source-ip {string}
        set source-port {integer}
        set ssl-min-proto-version [default|SSLv3|...]
        set tertiary-server {string}
        set two-factor [disable|fortitoken-cloud]
        set two-factor-authentication [fortitoken|email|...]
        set two-factor-filter {string}
        set two-factor-notification [email|sms]
        set type [simple|anonymous|...]
        set user-info-exchange-server {string}
        set username {string}
    next
end

config user ldap

Parameter

Description

Type

Size

Default

account-key-cert-field

Define subject identity field in certificate for user access right checking.

option

-

othername

Option

Description

othername

Other name in SAN.

rfc822name

RFC822 email address in SAN.

dnsname

DNS name in SAN.

account-key-filter

Account key filter, using the UPN as the search filter.

string

Maximum length: 2047

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

account-key-processing

Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

option

-

same

Option

Description

same

Same as subject identity field.

strip

Strip domain string from subject identity field.

antiphish

Enable/disable AntiPhishing credential backend.

option

-

disable

Option

Description

enable

Enable AntiPhishing credential backend.

disable

Disable AntiPhishing credential backend.

ca-cert

CA certificate name.

string

Maximum length: 79

client-cert

Client certificate name.

string

Maximum length: 79

client-cert-auth

Enable/disable using client certificate for TLS authentication.

option

-

disable

Option

Description

enable

Enable using client certificate for TLS authentication.

disable

Disable using client certificate for TLS authentication.

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Maximum length: 20

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Maximum length: 511

group-filter

Filter used for group matching.

string

Maximum length: 2047

group-member-check

Group member checking methods.

option

-

user-attr

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-object-filter

Filter used for group searching.

string

Maximum length: 2047

(&(objectcategory=group)(member=*))

group-search-base

Search base used for group searching.

string

Maximum length: 511

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

member-attr

Name of attribute from which to get group membership.

string

Maximum length: 63

memberOf

name

LDAP server entry name.

string

Maximum length: 35

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

password

Password for initial binding.

password

Not Specified

password-attr

Name of attribute to get password hash.

string

Maximum length: 35

userPassword

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

port

Port to be used for communication with the LDAP server.

integer

Minimum value: 1 Maximum value: 65535

389

search-type

Search type.

option

-

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

secondary-server

Secondary LDAP server CN domain name or IP.

string

Maximum length: 63

secure

Port to be used for authentication.

option

-

disable

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

server

LDAP server CN domain name or IP.

string

Maximum length: 63

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

FortiGate IP address to be used for communication with the LDAP server.

string

Maximum length: 63

source-port

Source port to be used for communication with the LDAP server.

integer

Minimum value: 0 Maximum value: 65535

0

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Maximum length: 63

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-filter

Filter used to synchronize users to FortiToken Cloud.

string

Maximum length: 2047

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

type

Authentication type for LDAP searches.

option

-

simple

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Maximum length: 35

username

Username (full DN) for initial binding.

string

Maximum length: 511

config user ldap

config user ldap

Configure LDAP server entries.

config user ldap
    Description: Configure LDAP server entries.
    edit <name>
        set account-key-cert-field [othername|rfc822name|...]
        set account-key-filter {string}
        set account-key-processing [same|strip]
        set antiphish [enable|disable]
        set ca-cert {string}
        set client-cert {string}
        set client-cert-auth [enable|disable]
        set cnid {string}
        set dn {string}
        set group-filter {string}
        set group-member-check [user-attr|group-object|...]
        set group-object-filter {string}
        set group-search-base {string}
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set member-attr {string}
        set obtain-user-info [enable|disable]
        set password {password}
        set password-attr {string}
        set password-expiry-warning [enable|disable]
        set password-renewal [enable|disable]
        set port {integer}
        set search-type {option1}, {option2}, ...
        set secondary-server {string}
        set secure [disable|starttls|...]
        set server {string}
        set server-identity-check [enable|disable]
        set source-ip {string}
        set source-port {integer}
        set ssl-min-proto-version [default|SSLv3|...]
        set tertiary-server {string}
        set two-factor [disable|fortitoken-cloud]
        set two-factor-authentication [fortitoken|email|...]
        set two-factor-filter {string}
        set two-factor-notification [email|sms]
        set type [simple|anonymous|...]
        set user-info-exchange-server {string}
        set username {string}
    next
end

config user ldap

Parameter

Description

Type

Size

Default

account-key-cert-field

Define subject identity field in certificate for user access right checking.

option

-

othername

Option

Description

othername

Other name in SAN.

rfc822name

RFC822 email address in SAN.

dnsname

DNS name in SAN.

account-key-filter

Account key filter, using the UPN as the search filter.

string

Maximum length: 2047

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

account-key-processing

Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity.

option

-

same

Option

Description

same

Same as subject identity field.

strip

Strip domain string from subject identity field.

antiphish

Enable/disable AntiPhishing credential backend.

option

-

disable

Option

Description

enable

Enable AntiPhishing credential backend.

disable

Disable AntiPhishing credential backend.

ca-cert

CA certificate name.

string

Maximum length: 79

client-cert

Client certificate name.

string

Maximum length: 79

client-cert-auth

Enable/disable using client certificate for TLS authentication.

option

-

disable

Option

Description

enable

Enable using client certificate for TLS authentication.

disable

Disable using client certificate for TLS authentication.

cnid

Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn".

string

Maximum length: 20

cn

dn

Distinguished name used to look up entries on the LDAP server.

string

Maximum length: 511

group-filter

Filter used for group matching.

string

Maximum length: 2047

group-member-check

Group member checking methods.

option

-

user-attr

Option

Description

user-attr

User attribute checking.

group-object

Group object checking.

posix-group-object

POSIX group object checking.

group-object-filter

Filter used for group searching.

string

Maximum length: 2047

(&(objectcategory=group)(member=*))

group-search-base

Search base used for group searching.

string

Maximum length: 511

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

member-attr

Name of attribute from which to get group membership.

string

Maximum length: 63

memberOf

name

LDAP server entry name.

string

Maximum length: 35

obtain-user-info

Enable/disable obtaining of user information.

option

-

enable

Option

Description

enable

Enable obtaining of user information.

disable

Disable obtaining of user information.

password

Password for initial binding.

password

Not Specified

password-attr

Name of attribute to get password hash.

string

Maximum length: 35

userPassword

password-expiry-warning

Enable/disable password expiry warnings.

option

-

disable

Option

Description

enable

Enable password expiry warnings.

disable

Disable password expiry warnings.

password-renewal

Enable/disable online password renewal.

option

-

disable

Option

Description

enable

Enable online password renewal.

disable

Disable online password renewal.

port

Port to be used for communication with the LDAP server.

integer

Minimum value: 1 Maximum value: 65535

389

search-type

Search type.

option

-

Option

Description

recursive

Recursively retrieve the user-group chain information of a user in a particular Microsoft AD domain.

secondary-server

Secondary LDAP server CN domain name or IP.

string

Maximum length: 63

secure

Port to be used for authentication.

option

-

disable

Option

Description

disable

No SSL.

starttls

Use StartTLS.

ldaps

Use LDAPS.

server

LDAP server CN domain name or IP.

string

Maximum length: 63

server-identity-check

Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate).

option

-

enable

Option

Description

enable

Enable server identity check.

disable

Disable server identity check.

source-ip

FortiGate IP address to be used for communication with the LDAP server.

string

Maximum length: 63

source-port

Source port to be used for communication with the LDAP server.

integer

Minimum value: 0 Maximum value: 65535

0

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

default

Option

Description

default

Follow system global setting.

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

tertiary-server

Tertiary LDAP server CN domain name or IP.

string

Maximum length: 63

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

disable two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-filter

Filter used to synchronize users to FortiToken Cloud.

string

Maximum length: 2047

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

type

Authentication type for LDAP searches.

option

-

simple

Option

Description

simple

Simple password authentication without search.

anonymous

Bind using anonymous user search.

regular

Bind using username/password and then search.

user-info-exchange-server

MS Exchange server from which to fetch user information.

string

Maximum length: 35

username

Username (full DN) for initial binding.

string

Maximum length: 511