Skip to main content
ekrishnan
Staff
ekrishnan
Staff
July 8, 2025

Technical Tip: Modified CLI parameters for 'PKI' user setting and associated LDAP configuration from firmware v7.4.1

  • July 8, 2025
  • 0 replies
  • 579 views
Description This article explains the changes in the CLI parameters for PKI user settings starting from v7.4.1 used for validation against the LDAP server.
Scope FortiGate.
Solution

Up to v7.4.0:

 

config user peer
    set ldap-mode [password|principal-name]
    set ldap-password 
    set ldap-server 
    set ldap-username 

The above has been replaced with the ones shown below.

 

From v7.4.1 and above:

 

config user peer
    set mfa-mode [none|password|subject-identity]
    set mfa-password
    set mfa-server 
    set mfa-username 

 

Another key setting for the PKI user is also changed under the LDAP configuration,

 

Up to v7.4.0:

 

config user ldap
    set account-key-upn-san [othername|rfc822name|dnsname]

 

From v7.4.1 and above:

 

config user ldap
    set account-key-cert-field [othername|rfc822name|dnsname]

 

Note:

When there is an upgrade performed from any versions below v7.4.0 and v7.4.0 to v7.4.1 and above will cause the removal of these entries, and as a result, the authentication will not succeed.

 

Run the command below after an upgrade or downgrade to review the changes in the command line:

 

diagnose debug config-error-log read

 

Related documents

FortiGate 7.4.0 | CLI Reference | config user peer 

FortiGate 7.4.1 | CLI Reference | config user peer 
    Terms & ConditionsAccessibility statement