GUI item | Description |
Use LDAP tree node as group | Enable to use objects within the Base DN of User Query Options as if they were members of a user group object. For example, your LDAP directory might not contain user group objects. In that sense, groups do not really exist in the LDAP directory. However, you could mimic a group’s presence by enabling this option to treat all users that are child objects of the Base DN in User Query Options as if they were members of such a group. |
Group membership attribute | Enter the name of the attribute, such as memberOf or gidNumber, whose value is the group number or DN of a group to which the user belongs. This attribute must be present in user objects. Whether the value must use common name, group number, or DN syntax varies by your LDAP server schema. For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000. |
Use group name with base DN as group DN | Enable to specify the base distinguished name (DN) portion of the group’s full distinguished name (DN) in the LDAP profile. By specifying the group’s base DN and the name of its group name attribute in the LDAP profile, you will only need to supply the group name value when configuring each feature that uses this query. For example, you might find it more convenient in each recipient-based policy to type only the group name, admins, rather than typing the full DN, cn=admins,ou=Groups,dc=example,dc=com. In this case, you could enable this option, then configure Group base DN (ou=Groups,dc=example,dc=com) and Group name attribute (cn). When performing the query, the FortiMail unit would assemble the full DN by inserting the common name that you configured in the recipient-based policy between the Group name attribute and the Group base DN configured in the LDAP profile. Note: Enabling this option is appropriate only if your LDAP server’s schema specifies that the group membership attribute’s value must use DN syntax. It is not appropriate if this value uses another type of syntax, such as a number or common name. For example, if your user objects use both inetOrgPerson and posixAccount schema, user objects have the attribute gidNumber, whose value must be an integer that is the group ID number, such as 10000. Because a group ID number does not use DN syntax, you would not enable this option. |
Group base DN | Enter the base DN portion of the group’s full DN, such as ou=Groups,dc=example,dc=com. This option is available only if Use group name with base DN as group DN is enabled. |
Group name attribute | Enter the name of the attribute, such as cn, whose value is the group name of a group to which the user belongs. This option is available only if Use group name with base DN as group DN is enabled. |
Lookup group owner | Enable to query the group object by its distinguished name (DN) to retrieve the DN of the group owner, which is a user that will receive that group’s quarantine reports. Using that user’s DN, the FortiMail unit will then perform a second query to retrieve that user’s email address, where the quarantine report will be sent. For more information on sending quarantine reports to the group owner, see “Quarantine Report Setting” and “Managing the personal quarantines”. |
Group owner attribute | Enter the name of the attribute, such as groupOwner, whose value is the distinguished name of a user object. You can configure the FortiMail unit to allow that user to be responsible for handling the group’s quarantine report. If Lookup group owner is enabled, this attribute must be present in group objects. |
Group owner address attribute | Enter the name of the attribute, such as mail, whose value is the group owner’s email address. If Lookup group owner is enabled, this attribute must be present in user objects. |