Configuring LDAP dial-in using a member attribute
In this configuration, users defined in Microsoft AD can set up a VPN connection based on an attribute that is set to TRUE
, instead of their user group. You can activate the Allow Dialin property in AD user properties, which sets the msNPAllowDialin
attribute to TRUE. You can use this procedure for other member attributes as your system requires.
This configuration consists of the following steps:
- Ensure that the AD server has the
msNPAllowDialin
attribute set to TRUE for the desired users. - Configure user LDAP member attribute settings.
- Configure LDAP group settings.
- Ensure that you configured the settings correctly.
To configure user LDAP member attribute settings:
config user ldap edit "ldap_srv" set server "10.1.1.111" set cnid "SAMAccountName" set dn "DC=fortilabanz,DC=com,DC=au" set type regular set username "fortiproxy@sample.com" set password ****** set member-attr "msNPAllowDialin" next end
To configure LDAP group settings:
config user group edit "ldap_grp" set member "ldap" config match edit 1 set server-name "ldap_srv" set group-name "TRUE" next end next end
To ensure that you configured the settings correctly:
Users that are members of the ldap
user group should be able to authenticate. The following shows sample diagnose debug
output when the Allow Dial-in
attribute is set to TRUE
:
get_member_of_groups-Get the memberOf groups. get_member_of_groups- attr='msNPAllowDialin', found 1 values get_member_of_groups-val[0]='TRUE' fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Passed group matching
If the attribute is not set to TRUE
but is expected, you may see the following output:
get_member_of_groups-Get the memberOf groups. get_member_of_groups- attr='msNPAllowDialin', found 1 values get_member_of_groups-val[0]='FALSE' fnbamd_ldap_get_result-Auth accepted fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS fnbamd_auth_poll_ldap-Failed group matching
The difference between the two outputs is the last line, which shows passed or failed depending on whether the member attribute is set to the expected value.