Configuring profiles : Configuring LDAP profiles
Configuring LDAP profiles
 
Like all profiles, none of the VIP profile settings are global. They are applied only to traffic which is controlled by a policy which includes the appropriate VIP Map profile.
 
For the sender and recipient patterns, the @ symbol must appear even if you’re using wildcards. For example, if you want to match all addresses, you must use *@* rather than just * to work properly.
The LDAP submenu lets you configure LDAP profiles which can query LDAP servers for authentication, email address mappings, and more.
 
Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended mail processing behaviors can result, including bypassing antivirus scans. For details on preparing an LDAP directory for use with FortiMail LDAP profiles, see “Preparing your LDAP schema for FortiMail LDAP profiles”.
LDAP profiles each contain one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server. The LDAP profile list indicates which queries you have enabled in each LDAP profile.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains”.
To view the list of LDAP profiles, go to Profile > LDAP > LDAP.
 
GUI item
Description
Clone
(button)
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.
Profile Name
Displays the name of the profile.
Server
Displays the domain name or IP address of the LDAP server.
Port
Displays the listening port of the LDAP server.
Group
Indicates whether Group Query Options is enabled.
Auth
Indicates whether User Authentication Options is enabled.
Alias
Indicates whether User Alias Options is enabled.
Routing
Indicates whether Mail Routing Options is enabled.
Scan Override
Indicates whether Scan Override Options is enabled.
Address Map
Indicates whether Address Mapping Options is enabled.
Domain Lookup
Indicates whether Domain Lookup Options is enabled.
Webmail
Indicates whether Enable webmail password change is enabled in this profile.
Cache
Indicates whether query result caching is enabled.
(Green dot in column heading)
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.
You can add an LDAP profile to define a set of queries that the FortiMail unit can use with an LDAP server. You might create more than one LDAP profile if, for example, you have more than one LDAP server, or you want to configure multiple, separate query sets for the same LDAP server.
After you have created an LDAP profile, LDAP profile options will appear in other areas of the FortiMail unit’s configuration. These options let you to select the LDAP profile where you might otherwise create a reference to a configuration item stored locally on the FortiMail unit itself. These other configuration areas will only allow you to select applicable LDAP profiles — that is, those LDAP profiles in which you have enabled the query required by that feature. For example, if a feature requires a definition of user groups, you can select only from those LDAP profiles where Group Query Options are enabled.
To configure an LDAP profile
1. Go to Profile > LDAP > LDAP.
2. Click New to add a profile or double-click a profile to modify it.
A multisection dialog appears.
3. Configure the following general settings:
 
GUI item
Description
Profile name
For a new profile, enter its name.
Server name/IP
 
Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.
Port: Enter the port number where the LDAP server listens.
The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections.
Fallback server name/IP
Optional. Enter the fully qualified domain name (FQDN) or IP address of an alternate LDAP server that the FortiMail unit can query if the primary LDAP server is unreachable.
Port: Enter the port number where the fallback LDAP server listens.
The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections.
Use secure connection
Select whether or not to connect to the LDAP servers using an encrypted connection.
none: Use a non-secure connection.
SSL: Use an SSL-secured (LDAPS) connection.
Click Test LDAP Query to test the connection. A pop-up window appears. For details, see “To verify user query options”.
Note: If your FortiMail unit is deployed in server mode, and you want to enable Enable webmail password change using an LDAP server that uses a Microsoft ActiveDirectory-style schema, you must select SSL. ActiveDirectory servers require a secure connection for queries that change user passwords.
Default Bind Options
Base DN
Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for user objects, such as ou=People,dc=example,dc=com.
User objects should be child nodes of this location.
Bind DN
Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the Base DN.
Bind password
 
Enter the password of the Bind DN.
Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree.
Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it.
Before using, first configure Server name/IP, Use secure connection, Bind DN, Bind password, and Protocol version, then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.
4. Configure the following sections:
“Configuring user query options”
“Configuring group query options”
“Configuring user authentication options”
“Configuring user alias options”
“Configuring mail routing”
“Configuring scan override options”
“Configuring address mapping options”
“Configuring domain lookup options”
“Configuring remote access override options”
“Configuring advanced options”