Technical Tip: How to restrict access to specific groups for LDAP users in SSL VPN authentication

Description

This article describes how to configure filter for specific LDAP group memberships so only specific users can connect. 

Scope

FortiGate.

Solution

There are two options to restrict the group: either by adding a group filter in the LDAP server configuration, or by adding the group attribute in the user group configuration. 

Option 1: To filter specific groups in the LDAP server configuration, the following settings are used:

Configuration CLI, FortiOS v7.0+:

config user ldap
    edit "test_ldap"
        set server "10.0.0.1" 
        set cnid "cn"
        set dn "dc=test,dc=com" 
        [...]
        set group-search-base "ou=Group,dc=test,dc=com"  <Specific location using OUs to limit the search>
        set group-filter "(&(objectClass=posixGroup)(memberUid=%s))"   <Filter used for group matching>
        [...]
        set member-attr "memberUid"  <Attribute in the group object that lists member information>
     next

end

The LDAP server object can then be added to a user group with no further filters, and used in policies or other authentication-related configuration like VPNs, WiFi, or captive portal.

Option 2: FortiGate group configuration:

config user group
    edit "SSL_VPN"

        set member "test_ldap"  <Server is the name of the LDAP server configured on FortiGate>
            config match
                edit 1
                    set server-name "test_ldap"
                    set group-name "CN=testnps,OU=testldap,DC=test,DC=com" <Group Distinguished Name the user must be a member of>
                next
            end

        next

    end

Related documents:

• Technical Tip: LDAP server in group
• Technical Tip: LDAP Nested Group settings and changes in FortiOS v5.6, v6.0 and v6.2 
• FortiGate CLI reference: LDAP server settings