fortios_user_ldap – Configure LDAP server entries in Fortinet’s FortiOS and FortiGate.

New in version 2.0.0.

Synopsis

• This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify user feature and ldap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

• ansible>=2.15

Tips

Using member operation to add an element to an existing object.

FortiOS Version Compatibility

Supported Version Ranges: v6.0.0 -> 7.4.3

Parameters

• access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
• enable_log - Enable/Disable logging for task. type: bool required: false default: False
• vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
• member_path - Member attribute path to operate on. type: str
• member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
• state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
• user_ldap - Configure LDAP server entries. type: dict more...

  	Supported Version Ranges
  user_ldap	v6.0.0 -> 7.4.3

• account_key_cert_field - Define subject identity field in certificate for user access right checking. type: str choices: othername, rfc822name, dnsname more...

  	Supported Version Ranges
  account_key_cert_field	v7.4.1 -> 7.4.3
  [othername]	v7.4.1 -> 7.4.3
  [rfc822name]	v7.4.1 -> 7.4.3
  [dnsname]	v7.4.1 -> 7.4.3

• account_key_filter - Account key filter, using the UPN as the search filter. type: str more...

  	Supported Version Ranges
  account_key_filter	v6.0.0 -> 7.4.3

• account_key_processing - Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity. type: str choices: same, strip more...

  	Supported Version Ranges
  account_key_processing	v6.0.0 -> 7.4.3
  [same]	v6.0.0 -> 7.4.3
  [strip]	v6.0.0 -> 7.4.3

• account_key_upn_san - Define SAN in certificate for user principle name matching. type: str choices: othername, rfc822name, dnsname more...

  	Supported Version Ranges
  account_key_upn_san	v7.2.4 -> v7.4.0
  [othername]	v7.2.4 -> v7.4.0
  [rfc822name]	v7.2.4 -> v7.4.0
  [dnsname]	v7.2.4 -> v7.4.0

• antiphish - Enable/disable AntiPhishing credential backend. type: str choices: enable, disable more...

  	Supported Version Ranges
  antiphish	v7.0.0 -> 7.4.3
  [enable]	v7.0.0 -> 7.4.3
  [disable]	v7.0.0 -> 7.4.3

• ca_cert - CA certificate name. Source vpn.certificate.ca.name. type: str more...

  	Supported Version Ranges
  ca_cert	v6.0.0 -> 7.4.3

• client_cert - Client certificate name. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  client_cert	v7.2.0 -> 7.4.3

• client_cert_auth - Enable/disable using client certificate for TLS authentication. type: str choices: enable, disable more...

  	Supported Version Ranges
  client_cert_auth	v7.2.0 -> 7.4.3
  [enable]	v7.2.0 -> 7.4.3
  [disable]	v7.2.0 -> 7.4.3

• cnid - Common name identifier for the LDAP server. The common name identifier for most LDAP servers is "cn". type: str more...

  	Supported Version Ranges
  cnid	v6.0.0 -> 7.4.3

• dn - Distinguished name used to look up entries on the LDAP server. type: str more...

  	Supported Version Ranges
  dn	v6.0.0 -> 7.4.3

• group_filter - Filter used for group matching. type: str more...

  	Supported Version Ranges
  group_filter	v6.0.0 -> 7.4.3

• group_member_check - Group member checking methods. type: str choices: user-attr, group-object, posix-group-object more...

  	Supported Version Ranges
  group_member_check	v6.0.0 -> 7.4.3
  [user-attr]	v6.0.0 -> 7.4.3
  [group-object]	v6.0.0 -> 7.4.3
  [posix-group-object]	v6.0.0 -> 7.4.3

• group_object_filter - Filter used for group searching. type: str more...

  	Supported Version Ranges
  group_object_filter	v6.0.0 -> 7.4.3

• group_search_base - Search base used for group searching. type: str more...

  	Supported Version Ranges
  group_search_base	v6.0.0 -> 7.4.3

• interface - Specify outgoing interface to reach server. Source system.interface.name. type: str more...

  	Supported Version Ranges
  interface	v6.2.0 -> v6.2.0	v6.2.5 -> 7.4.3

• interface_select_method - Specify how to select outgoing interface to reach server. type: str choices: auto, sdwan, specify more...

  	Supported Version Ranges
  interface_select_method	v6.2.0 -> v6.2.0	v6.2.5 -> 7.4.3
  [auto]	v6.2.0 -> v6.2.0
  [sdwan]	v6.2.0 -> v6.2.0
  [specify]	v6.2.0 -> v6.2.0

• member_attr - Name of attribute from which to get group membership. type: str more...

  	Supported Version Ranges
  member_attr	v6.0.0 -> 7.4.3

• name - LDAP server entry name. type: str required: true more...

  	Supported Version Ranges
  name	v6.0.0 -> 7.4.3

• obtain_user_info - Enable/disable obtaining of user information. type: str choices: enable, disable more...

  	Supported Version Ranges
  obtain_user_info	v6.2.0 -> 7.4.3
  [enable]	v6.2.0 -> 7.4.3
  [disable]	v6.2.0 -> 7.4.3

• password - Password for initial binding. type: str more...

  	Supported Version Ranges
  password	v6.0.0 -> 7.4.3

• password_attr - Name of attribute to get password hash. type: str more...

  	Supported Version Ranges
  password_attr	v7.0.0 -> 7.4.3

• password_expiry_warning - Enable/disable password expiry warnings. type: str choices: enable, disable more...

  	Supported Version Ranges
  password_expiry_warning	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• password_renewal - Enable/disable online password renewal. type: str choices: enable, disable more...

  	Supported Version Ranges
  password_renewal	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• port - Port to be used for communication with the LDAP server . type: int more...

  	Supported Version Ranges
  port	v6.0.0 -> 7.4.3

• search_type - Search type. type: list choices: recursive more...

  	Supported Version Ranges
  search_type	v6.2.0 -> 7.4.3
  [recursive]	v6.2.0 -> 7.4.3

• secondary_server - Secondary LDAP server CN domain name or IP. type: str more...

  	Supported Version Ranges
  secondary_server	v6.0.0 -> 7.4.3

• secure - Port to be used for authentication. type: str choices: disable, starttls, ldaps more...

  	Supported Version Ranges
  secure	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [starttls]	v6.0.0 -> 7.4.3
  [ldaps]	v6.0.0 -> 7.4.3

• server - LDAP server CN domain name or IP. type: str more...

  	Supported Version Ranges
  server	v6.0.0 -> 7.4.3

• server_identity_check - Enable/disable LDAP server identity check (verify server domain name/IP address against the server certificate). type: str choices: enable, disable more...

  	Supported Version Ranges
  server_identity_check	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• source_ip - FortiGate IP address to be used for communication with the LDAP server. type: str more...

  	Supported Version Ranges
  source_ip	v6.0.0 -> 7.4.3

• source_port - Source port to be used for communication with the LDAP server. type: int more...

  	Supported Version Ranges
  source_port	v7.0.0 -> 7.4.3

• ssl_min_proto_version - Minimum supported protocol version for SSL/TLS connections . type: str choices: default, SSLv3, TLSv1, TLSv1-1, TLSv1-2, TLSv1-3 more...

  	Supported Version Ranges
  ssl_min_proto_version	v6.0.0 -> 7.4.3
  [default]	v6.0.0 -> 7.4.3
  [SSLv3]	v6.0.0 -> 7.4.3
  [TLSv1]	v6.0.0 -> 7.4.3
  [TLSv1-1]	v6.0.0 -> 7.4.3
  [TLSv1-2]	v6.0.0 -> 7.4.3
  [TLSv1-3]	v7.4.1 -> 7.4.3

• tertiary_server - Tertiary LDAP server CN domain name or IP. type: str more...

  	Supported Version Ranges
  tertiary_server	v6.0.0 -> 7.4.3

• two_factor - Enable/disable two-factor authentication. type: str choices: disable, fortitoken-cloud more...

  	Supported Version Ranges
  two_factor	v6.2.0 -> 7.4.3
  [disable]	v6.2.0 -> 7.4.3
  [fortitoken-cloud]	v6.2.0 -> 7.4.3

• two_factor_authentication - Authentication method by FortiToken Cloud. type: str choices: fortitoken, email, sms more...

  	Supported Version Ranges
  two_factor_authentication	v6.2.0 -> v6.2.0	v6.2.5 -> 7.4.3
  [fortitoken]	v6.2.0 -> v6.2.0
  [email]	v6.2.0 -> v6.2.0
  [sms]	v6.2.0 -> v6.2.0

• two_factor_filter - Filter used to synchronize users to FortiToken Cloud. type: str more...

  	Supported Version Ranges
  two_factor_filter	v7.2.1 -> 7.4.3

• two_factor_notification - Notification method for user activation by FortiToken Cloud. type: str choices: email, sms more...

  	Supported Version Ranges
  two_factor_notification	v6.2.0 -> v6.2.0	v6.2.5 -> 7.4.3
  [email]	v6.2.0 -> v6.2.0
  [sms]	v6.2.0 -> v6.2.0

• type - Authentication type for LDAP searches. type: str choices: simple, anonymous, regular more...

  	Supported Version Ranges
  type	v6.0.0 -> 7.4.3
  [simple]	v6.0.0 -> 7.4.3
  [anonymous]	v6.0.0 -> 7.4.3
  [regular]	v6.0.0 -> 7.4.3

• user_info_exchange_server - MS Exchange server from which to fetch user information. Source user.exchange.name. type: str more...

  	Supported Version Ranges
  user_info_exchange_server	v6.2.0 -> 7.4.3

• username - Username (full DN) for initial binding. type: str more...

  	Supported Version Ranges
  username	v6.0.0 -> 7.4.3

Notes

Note

• Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- name: Configure LDAP server entries.
  fortinet.fortios.fortios_user_ldap:
      vdom: "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      user_ldap:
          account_key_cert_field: "othername"
          account_key_filter: "<your_own_value>"
          account_key_processing: "same"
          account_key_upn_san: "othername"
          antiphish: "enable"
          ca_cert: "<your_own_value> (source vpn.certificate.ca.name)"
          client_cert: "<your_own_value> (source vpn.certificate.local.name)"
          client_cert_auth: "enable"
          cnid: "<your_own_value>"
          dn: "<your_own_value>"
          group_filter: "<your_own_value>"
          group_member_check: "user-attr"
          group_object_filter: "<your_own_value>"
          group_search_base: "<your_own_value>"
          interface: "<your_own_value> (source system.interface.name)"
          interface_select_method: "auto"
          member_attr: "<your_own_value>"
          name: "default_name_20"
          obtain_user_info: "enable"
          password: "<your_own_value>"
          password_attr: "<your_own_value>"
          password_expiry_warning: "enable"
          password_renewal: "enable"
          port: "389"
          search_type: "recursive"
          secondary_server: "<your_own_value>"
          secure: "disable"
          server: "192.168.100.40"
          server_identity_check: "enable"
          source_ip: "84.230.14.43"
          source_port: "0"
          ssl_min_proto_version: "default"
          tertiary_server: "<your_own_value>"
          two_factor: "disable"
          two_factor_authentication: "fortitoken"
          two_factor_filter: "<your_own_value>"
          two_factor_notification: "email"
          type: "simple"
          user_info_exchange_server: "<your_own_value> (source user.exchange.name)"
          username: "<your_own_value>"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

• build - Build number of the fortigate image returned: always type: str sample: 1547
• http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
• http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
• mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
• name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
• path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
• revision - Internal revision number returned: always type: str sample: 17.0.2.10658
• serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
• status - Indication of the operation's result returned: always type: str sample: success
• vdom - Virtual domain used returned: always type: str sample: root
• version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

• This module is not guaranteed to have a backwards compatible interface.

Authors

• Link Zheng (@chillancezen)

• Jie Xue (@JieX19)

• Hongbin Lu (@fgtdev-hblu)

• Frank Shen (@frankshen01)

• Miguel Angel Munoz (@mamunozgonzalez)

• Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.