Fortinet white logo
Fortinet white logo

Cookbook

Configuring LDAP dial-in using a member attribute

Configuring LDAP dial-in using a member attribute

In this configuration, users defined in Microsoft AD can set up a VPN connection based on an attribute that is set to TRUE, instead of their user group. You can activate the Allow Dialin property in AD user properties, which sets the msNPAllowDialin attribute to TRUE. You can use this procedure for other member attributes as your system requires.

This configuration consists of the following steps:

  1. Ensure that the AD server has the msNPAllowDialin attribute set to TRUE for the desired users.
  2. Configure user LDAP member attribute settings.
  3. Configure LDAP group settings.
  4. Ensure that you configured the settings correctly.
To configure user LDAP member attribute settings:

config user ldap

edit "ldap_server"

set server "192.168.201.3"

set cnid "sAMAccountName"

set dn "DC=fortilabanz,DC=com,DC=au"

set type regular

set username "fortigate@sample.com"

set password ******

set member-attr "msNPAllowDialin"

next

end

To configure LDAP group settings:

config user group

edit "ldap_grp"

set member "ldap_server"

config match

edit 1

set server-name "ldap_server"

set group-name "TRUE"

next

end

next

end

To ensure that you configured the settings correctly:

Users that are members of the ldap_grp user group should be able to authenticate. The following shows sample diagnose debug output when the Allow Dial-in attribute is set to TRUE:

get_member_of_groups-Get the memberOf groups.

get_member_of_groups- attr='msNPAllowDialin', found 1 values

get_member_of_groups-val[0]='TRUE'

fnbamd_ldap_get_result-Auth accepted

fnbamd_ldap_get_result-Going to DONE state res=0

fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS

fnbamd_auth_poll_ldap-Passed group matching

If the attribute is not set to TRUE but is expected, you may see the following output:

get_member_of_groups-Get the memberOf groups.

get_member_of_groups- attr='msNPAllowDialin', found 1 values

get_member_of_groups-val[0]='FALSE'

fnbamd_ldap_get_result-Auth accepted

fnbamd_ldap_get_result-Going to DONE state res=0

fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS

fnbamd_auth_poll_ldap-Failed group matching

The difference between the two outputs is the last line, which shows passed or failed depending on whether the member attribute is set to the expected value.

Configuring LDAP dial-in using a member attribute

Configuring LDAP dial-in using a member attribute

In this configuration, users defined in Microsoft AD can set up a VPN connection based on an attribute that is set to TRUE, instead of their user group. You can activate the Allow Dialin property in AD user properties, which sets the msNPAllowDialin attribute to TRUE. You can use this procedure for other member attributes as your system requires.

This configuration consists of the following steps:

  1. Ensure that the AD server has the msNPAllowDialin attribute set to TRUE for the desired users.
  2. Configure user LDAP member attribute settings.
  3. Configure LDAP group settings.
  4. Ensure that you configured the settings correctly.
To configure user LDAP member attribute settings:

config user ldap

edit "ldap_server"

set server "192.168.201.3"

set cnid "sAMAccountName"

set dn "DC=fortilabanz,DC=com,DC=au"

set type regular

set username "fortigate@sample.com"

set password ******

set member-attr "msNPAllowDialin"

next

end

To configure LDAP group settings:

config user group

edit "ldap_grp"

set member "ldap_server"

config match

edit 1

set server-name "ldap_server"

set group-name "TRUE"

next

end

next

end

To ensure that you configured the settings correctly:

Users that are members of the ldap_grp user group should be able to authenticate. The following shows sample diagnose debug output when the Allow Dial-in attribute is set to TRUE:

get_member_of_groups-Get the memberOf groups.

get_member_of_groups- attr='msNPAllowDialin', found 1 values

get_member_of_groups-val[0]='TRUE'

fnbamd_ldap_get_result-Auth accepted

fnbamd_ldap_get_result-Going to DONE state res=0

fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS

fnbamd_auth_poll_ldap-Passed group matching

If the attribute is not set to TRUE but is expected, you may see the following output:

get_member_of_groups-Get the memberOf groups.

get_member_of_groups- attr='msNPAllowDialin', found 1 values

get_member_of_groups-val[0]='FALSE'

fnbamd_ldap_get_result-Auth accepted

fnbamd_ldap_get_result-Going to DONE state res=0

fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS

fnbamd_auth_poll_ldap-Failed group matching

The difference between the two outputs is the last line, which shows passed or failed depending on whether the member attribute is set to the expected value.