To configure the admin account – CLI:

config system admin edit “test”

set remote-auth enable

set accprofile “super_admin”

set wildcard enable

set remote-group “ldap_grp” next

end

 

For troubleshooting, test that the admin account is operational, and see Troubleshooting LDAP on page 465.

Example of LDAP to allow Dial-in through member-attribute – CLI

In this example, users defined in MicroSoft Windows Active Directory (AD) are allowed to setup a VPN connection simply based on an attribute that is set to TRUE, instead of based on being part of a specific group.

In AD, the “Allow Dial-In” property is activated in the user properties, and this sets the msNPAllowDialin

attribute to “TRUE”.

This same procedure can be used for other member attributes, as your system requires.

 

Configuring LDAP member-attribute settings

To accomplish this with a FortiGate unit, the member attribute must be set. Setting member attributes can only be accomplished through the CLI using the member-attr keyword – the option is not available through the web- based manager.

Before configuring the FortiGate unit, the AD server must be configured and have the msNPAllowDialin attribute set to “TRUE” for the users in question. If not, those users will not be able to properly authenticate. The dn used here is as an example only. On your network use your own domain name.

 

To configure user LDAP member-attribute settings – CLI:

config user ldap

edit “ldap_server”

set server “192.168.201.3” set cnid “sAMAccountName”

set dn “DC=fortinet,DC=com,DC=au” set type regular

set username “fortigate@example.com” set password ******

set member-attr “msNPAllowDialin” next

end