user : ldap
Use this command to add or edit the definition of an LDAP server for user authentication.
To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiGate unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiGate unit. The maximum number of remote LDAP servers that can be configured for authentication is 10.
The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply information to the user about why authentication failed.
LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. With PPTP, L2TP, and IPSec VPN, PAP (Packet Authentication Protocol) is supported and CHAP (Challenge Handshake Authentication Protocol) is not.
config user ldap
edit <server_name>
set ca-cert <cert_name>
set cnid <id>
set dn <dname>
set group-member-check {user-attr | group-object}
set group-object-filter <group_filter>
set member-attr <attr_name>
set password <ldap_passwd>
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}
set port <number>
set search-type {nested}
set secondary-server <domain>
set secure <auth_port>
set server <domain>
set source-ip <source_ipv4addr>
set tertiary-server <domain>
set type <auth_type>
set username <ldap_username>
edit <server_name>
Enter a name to identify the LDAP server.
Enter a new name to create a new server definition or enter an existing server name to edit that server definition.
No default.
ca-cert <cert_name>
This field is available when secure is set to ldaps or starttls. User authentication will take place via a CA certificate. The CA certificate will be used by the LDAP library to validate the public certificate provided by the LDAP server.
cnid <id>
Enter the common name identifier for the LDAP server.
The common name identifier for most LDAP servers is cn. However some servers use other common name identifiers such as uid. Maximum 20 characters.
dn <dname>
Enter the distinguished name used to look up entries on the LDAP server. It reflects the hierarchy of LDAP database object classes above the Common Name Identifier. The FortiGate unit passes this distinguished name unchanged to the server.
You must provide a dn value if type is simple. Maximum 512 characters.
No default.
group-member-check {user-attr | group-object}
Select the group membership checking method: user attribute or group object.
group-object-filter <group_filter>
Enter the name of the filter for group searches. The search for the group on the LDAP server is done with the following default filter configuration: (&(objectcategory=group)(member=*))
For example, to look for the group that will allow dial-in (msNPAllowDialin) set the filter to (&(uid=%u)(msNPAllowDialin=TRUE)).
This field is available when group-member-check is group-object.
member-attr <attr_name>
An attribute of the group that is used to authenticate users.
password <ldap_passwd>
This field is available only if type is regular. For regular authentication, you need a user name and password. See your server administrator for more information.
No default.
password-expiry-warning {disable | enable}
Enable or disable password expiry warnings.
password-renewal {disable | enable}
Enable or disable online password renewal.
port <number>
Enter the port number for communication with the LDAP server.
search-type {nested}
Retrieve the complete nested-user-group chain information of a user in a particular Microsoft AD domain.
secondary-server <domain>
Optionally, enter a second LDAP server name or IP address.
No default.
secure <auth_port>
{disable | starttls | ldaps}
Select the port to be used in authentication.
disable — port 389
ldaps — port 636
starttls — port 389
server <domain>
Enter the LDAP server domain name or IP address. The host name must comply with RFC1035.
No default.
source-ip <source_ipv4addr>
Optionally, enter a source IP address to use for LDAP requests.
tertiary-server <domain>
Optionally, enter a third LDAP server name or IP address.
No default.
type <auth_type>
Enter the authentication type for LDAP searches. One of:
anonymous — bind using anonymous user search
regular — bind using username/password and then search
simple — simple password authentication without search
You can use simple authentication if the user records are all under one dn that you know. If the users are under more than one dn, use the anonymous or regular type, which can search the entire LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular type and provide values for username and password.
username <ldap_username>
This field is available only if type is regular. For regular authentication, you need a user name and password. See your server administrator for more information.
No default.