Configuring LDAP dial-in using a member attribute

In this configuration, users defined in Microsoft AD can set up a VPN connection based on an attribute that is set to TRUE, instead of their user group. You can activate the Allow Dialin property in AD user properties, which sets the msNPAllowDialin attribute to TRUE. You can use this procedure for other member attributes as your system requires.

This configuration consists of the following steps:

  1. Ensure that the AD server has the msNPAllowDialin attribute set to TRUE for the desired users.
  2. Configure user LDAP member attribute settings.
  3. Configure LDAP group settings.
  4. Ensure that you configured the settings correctly.
To configure user LDAP member attribute settings:

config user ldap

edit "ldap_server"

set server ""

set cnid "sAMAccountName"

set dn "DC=fortilabanz,DC=com,DC=au"

set type regular

set username ""

set password ******

set member-attr "msNPAllowDialin"



To configure LDAP group settings:

config user group

edit "ldap_grp"

set member "ldap_server"

config match

edit 1

set server-name "ldap_server"

set group-name "TRUE"





To ensure that you configured the settings correctly:

Users that are members of the ldap_grp user group should be able to authenticate. The following shows sample diagnose debug output when the Allow Dial-in attribute is set to TRUE:

get_member_of_groups-Get the memberOf groups.

get_member_of_groups- attr='msNPAllowDialin', found 1 values


fnbamd_ldap_get_result-Auth accepted

fnbamd_ldap_get_result-Going to DONE state res=0

fnbamd_auth_poll_ldap-Result for ldap svr is SUCCESS

fnbamd_auth_poll_ldap-Passed group matching

If the attribute is not set to TRUE but is expected, you may see the following output:

get_member_of_groups-Get the memberOf groups.