Setting name | Description | |
Profile name | Type a name (such as LDAP-query) that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. | |
Server name/IP | Type the fully qualified domain name (FQDN) or IP address of the LDAP or Active Directory server that will be queried when an account referencing this profile attempts to authenticate. | |
Fallback server name/IP | Type the fully qualified domain name (FQDN) or IP address of a secondary LDAP or Active Directory server, if any, that can be queried if the primary server fails to respond according to the threshold configured in “Timeout” on page 64. | |
Port | Type the port number on which the authentication server listens for queries. The IANA standard port number for LDAP is 389. LDAPS (SSL/TLS-secured LDAP) is 636. | |
Use secure connection | If your directory server uses SSL to encrypt query connections, select SSL then upload the certificate of the CA that signed the LDAP server’s certificate (see “Uploading trusted CAs’ certificates”). | |
Allow unauthenticated bind | Enable to perform the query without authenticating. Disable to authenticate when querying. Also configure Bind DN, Bind password, and User Authentication Options. Many LDAP servers require LDAP queries to be authenticated (“bound”) by supplying a bind DN and password to determine the scope of permissions for the directory search. However, if your LDAP server does not require binding, you can enable this option to improve performance. | |
Setting name | Description | |
Schema | If your LDAP directory’s user objects uses one of these common schema style: • InetOrgPerson • InetLocalMailRecipient • Active Directory • Lotus Domino select the schema style. This automatically configures the query string to match that schema style. Otherwise, select User Defined, then manually configure the query string in LDAP user query. | |
Base DN | Enter the distinguished name (DN) of the part of the LDAP directory tree within which FortiRecorder will search for user objects, such as ou=People,dc=example,dc=com. User objects should be child nodes of this location. | |
Bind DN | Enter the bind DN, such as cn=FortiRecorderA,dc=example,dc=com, of an LDAP user account with permissions to query the Base DN. Leave this field blank if you have enabled Allow unauthenticated bind. | |
Bind password | Enter the password of the Bind DN. Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree. Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it. Before using, first configure Server name/IP, Use secure connection, Bind DN, Bind password, and , then click Create or OK. These fields provide minimum information required to establish the directory browsing connection. | |
LDAP user query | Enter an LDAP query filter that selects a set of user objects from the LDAP directory. The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be: (& (objectClass=inetOrgPerson) (mail=$m)) where $m is the FortiRecorder variable for a user's email address. This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. For details on query syntax, refer to any standard LDAP query filter reference manual. | |
Scope | Select which level of depth to query, starting from Base DN. | |
Derefer | Select when, if ever, to dereference attributes whose values are references. • Never — Do not dereference. • Always — Always dereference. • Search — Dereference only when searching. • Find — Dereference only when finding the base search object. | |
User Authentication Options | Select how, if the query requires authentication, the FortiRecorder appliance will form the bind DN. The default setting is the third option: Search user and try bind DN. • Try UPN or email address as bind DN — Select to form the user’s bind DN by prepending the user name portion of the email address ($u) to the User Principle Name (UPN, such as example.com). By default, the FortiRecorder appliance will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, enter that UPN in the field named Alternative UPN suffix. This can be useful if users authenticate with a domain other than the mail server’s principal domain name. • Try common name with base DN as bind DN — Select to form the user’s bind DN by prepending a common name to the base DN. Also enter the name of the user objects’ common name attribute, such as cn or uid into the field. • Search user and try bind DN — Select to form the user’s bind DN by using the DN retrieved for that user by User Query Options. | |
User Type Attribute | Select this option to define the user’s type. Valid entries for this field are: admin, operator, and viewer. | |
User Profile Attribute | Select this option to define the user’s profile. The entry for this field must match the profile name configured in FortiRecorder. | |
Access Profile Attribute | The access profile attribute can only be set if the user is an administrator. Selecting this option will set the administrator user’s access profile. The entry for this field must match the name of an access profile configured in FortiRecorder. | |
Notification Options | Select the “Allow notification attributes” option to enable notifications. FortiRecorder supports the following notifications: • Email attribute: This attribute specifies the user’s email address for notifications. • SMS profile attribute: This attribute specifies which SMS profile the user will use. The SMS profile attribute must match the name of the profile configured in FortiRecorder. • SMS number attribute: This attribute specifies the user SMS number for notifaction.The number format must be the same as the number in the user entry settings. • Method attribute: This attribute specifies the method used to notify a user. The two valid entries are “email” and “sms”. • Embedded email images attribute: This attribute specifies whether images are included in email messages to the user. The two valid entries are “yes” and “no”. | |
Timeout | Type the number of seconds that the FortiRecorder appliance will wait for a reply to the query before assuming that the primary LDAP server has failed, and will therefore query the secondary LDAP server. The default value is 20. | |
Protocol version | Select the LDAP protocol version (either 2 or 3) used by the LDAP server. | |
Enable cache | Enable to cache LDAP query results. Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiRecorder appliance begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently. If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching. | |
TTL | Enter the amount of time, in minutes, that the FortiRecorder unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiRecorder appliance to query the LDAP server, refreshing the cache. The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching. This option is applicable only if is enabled. | |
