Technical Tip: FortiGate 'ldap-memberof' query fails when the AD user is only member of one group

When configuring LDAP authentication on FortiGate, the 'ldap-memberof' attribute can be used to check the user group membership to grant access accordingly.

For example:

config user group
    edit "first"
        set group-type sslvpn
        set ldap-memberof "CN=first,OU=Groups,DC=testlab,DC=com"
            set member "my-ldap-server"
        set sslvpn-portal "testportal"
    next
end

This will work, except for users who are only members of one group in Active Directory.

The "memberof" attribute of the LDAP user is only populated with groups to which the user belongs, except the user's Primary Group. This is why, when the user is the only member of its Primary Group, the FortiGate LDAP authentication will fail after receiving an empty member-of query result.

Workaround:
As a workaround, an additional group membership should be added to the LDAP user, and this group has to be set Primary group in Active Directory.