LDAP Dial-in using member-attribute example
In this example, users defined in MicroSoft Windows Active Directory (AD) are allowed to set up a VPN connection simply based on an attribute that is set to TRUE, instead of based on their user group. In AD the “Allow Dialin” property is activated in the user properties, and this sets the msNPAllowDialin attribute to “TRUE”.
LDAP Dial-in using member-attribute
This same procedure can be used for other member attributes, as your system requires.
To accomplish this with a FortiGate unit, member-attribute must be set. This can only be accomplished through the CLI – the option is not available through the web-based manager.
Before configuring the FortiGate unit, ensure the AD server has the msNPAllowDialin attribute set to “TRUE” for the users in question. If not, those users will not be able to authenticate.
To configure user LDAP member-attribute settings – CLI:
config user ldap edit “ldap_server” set server “192.168.201.3” set cnid “sAMAccountName” set dn “DC=fortilabanz,DC=com,DC=au” set type regular
set username “fortigate@sample.com” set password ****** set member-attr “msNPAllowDialin”
next
end
To configure LDAP group settings – CLI:
config user group edit “ldap_grp” set member “ldap” config match
edit 1 set server-name “ldap” set group-name “TRUE”
next
end
next
end
Once these settings are in place, users that are a member of the ldap user group will be able to authenticate.
To ensure your settings are correct, here is the sample output from a diag debug command that shows the authentication process.
When the “Allow Dial-in” attribute is set to “TRUE” the following will likely be in the output:
get_member_of_groups-Get the memberOf groups. get_member_of_groups- attr=’msNPAllowDialin’, found 1 values
get_member_of_groups-val[0]=’TRUE’ fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Passed group matching
If the attribute is not set but it is expected, the following will likely be in the output:
get_member_of_groups-Get the memberOf groups. get_member_of_groups- attr=’msNPAllowDialin’, found 1 values
get_member_of_groups-val[0]=’FALSE’ fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Failed group matching
The only difference between these two outputs is the last line which is either passed or failed based on if the member-attribute is set to the expected value or not.