Variable | Description | Default |
<ldap-query_name> | Type the name of the LDAP user query. The maximum length is 35 characters. To display the list of existing queries, type: edit ? | No default. |
bind-type {anonymous | simple | regular} | Select one of the following LDAP query binding styles: • simple — Bind using the client-supplied password and a bind DN assembled from the common-name-id <cn-attribute_str>, distinguished-name <search-dn_str>, and the client-supplied user name. • regular — Bind using a bind DN and password that you configure in username <bind‑dn_str> and password <bind-password_str>. • anonymous — Do not provide a bind DN or password. Instead, perform the query without authenticating. Select this option only if the LDAP directory supports anonymous queries. | simple |
common-name-id <cn-attribute_str> | Type the identifier, often cn, for the common name (CN) attribute whose value is the user name. The maximum length is 63 characters. Identifiers may vary by your LDAP directory’s schema. | No default. |
distinguished-name <search-dn_str> | Type the distinguished name (DN) such as ou=People,dc=example,dc=com, that, when prefixed with the common name, forms the full path in the directory to user account objects. The maximum length is 255 characters. | No default. |
filter <query-filter_str> | Type an LDAP query filter string, if any, that will be used to filter out results from the query’s results based upon any attribute in the record set. The maximum length is 255 characters. This option is valid only when bind-type is regular. | No default. |
group_authentication {enable | disable} | Enable to only include users that are members of an LDAP group. Also configure group-type {edirectory | open‑ldap | windows‑ad} and group_dn <group-dn_str>. This option is valid only when bind-type is regular. | enable |
group_dn <group-dn_str> | Type the distinguished name of the LDAP user group, such as ou=Groups,dc=example,dc=com. The maximum length is 255 characters. This option is valid only when group_authentication is enabled. | No default. |
group-type {edirectory | open‑ldap | windows‑ad} | Select the schema that matches your server’s LDAP directory. Group membership attributes may have different names depending on an LDAP directory schemas. The FortiWeb appliance will use the group membership attribute that matches your directory’s schema when querying the group DN. This option is valid only when group_authentication is enabled. | open-ldap |
password <bind-password_str> | Type the password of the username <bind‑dn_str>. The maximum length is 63 characters. This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type is anonymous or simple. | No default. |
port <port_int> | Type the port number where the LDAP server listens. The valid range is from 1 to 65,535. The default port number varies by your selection in ssl-connection: port 389 is typically used for non-secure connections or for STARTTLS-secured connections, and port 636 is typically used for SSL-secured (LDAPS) connections. | 389 |
protocol {ldaps | starttls} | Select whether to secure the LDAP query using LDAPS or STARTTLS. You may need to reconfigure port <port_int> to correspond to the change in protocol. This field is applicable only if ssl-connection is enable. | ldaps |
server <ldap_ipv4> | Type the IP address of the LDAP server. | 0.0.0.0 |
ssl-connection {enable | disable} | Enable to connect to the LDAP servers using an encrypted connection, then select the style of the encryption in protocol. | enable |
username <bind‑dn_str> | Type the bind DN, such as cn=FortiWebA,dc=example,dc=com, of an LDAP user account with permissions to query the distinguished-name <search-dn_str>. The maximum length is 255 characters. This field may be optional if your LDAP server does not require the FortiWeb appliance to authenticate when performing queries, and does not appear if bind-type is anonymous or simple. | No default. |