Your can use the following commands to configure FortiGate wildcard LDAP users to use FortiToken Cloud for MFA.
config user ldap
set server "xx.xxx.xx.xx"
set cnid "uid"
set dn "dc=srv,dc=world"
set type regular
set two-factor fortitoken-cloud
set username "cn=Manager,dc=srv,dc=world"
set password ENC LWdyb+/k6e4TtSk070tODaCZAcbgEGKohA==
Wildcard LDAP users are those of a remote LDAP server user group, whose user configuration is unknown to FortiGate. Each end-user should have the following attributes configured on the LDAP server:
mail: user_email_address (e.g., mail: email@example.com)
mobile: user_phone_number (e.g., mobile: +14080123456)
During user configuration, the FortiGate-FTC user APIs are called for add-user, delete-user, modify-user with the following information in each API:
- VDOM name
- FortiGate serial number (SN)
- HA cluster membership information (if it's part of an HA configuration)
If an API requires the user ID, e.g., the delete-user API, FortiOS must use the GET API to retrieve the user ID from FTC.