| LDAP is widely used for authentication. The following is a typical configuration with LDAP on FortiProxy. config user ldap edit "My-AD" next end config authentication scheme edit "LDAP-Auth" set method basic set user-database "My-AD" next end config authentication rule edit "Incoming" set srcintf "port1" set srcaddr "all" set dstaddr "all" set active-auth-method "LDAP-Auth" next end config user group edit "My_LDAP" set member "My-AD" #Note: NO group matching applied here next end config firewall policy edit 2 set type explicit-web set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set explicit-web-proxy "web-proxy" set utm-status enable set webfilter-profile "Custom_Web_Filter" set groups "My_LDAP" next end
As long as the user is authenticated, the user can access the resource per policy with some limitations applied under the web filtering profile. Now, let's see if a specific user in the LDAP server must be allowed to access one URL, say drive.google.com, while the remaining users are kept as is. The solution is utilising the logic 'AND' for the user group. config user local edit "MrHi" set type ldap set ldap-server "My-AD" next end config user group edit "MY_LDAP_Hi" set logic-type and set member "My-AD" "MrHi" next end config firewall policy edit 1 set type explicit-web set dstintf "port2" set srcaddr "all" set dstaddr "google-drive" set action accept set schedule "always" set service "webproxy" set explicit-web-proxy "web-proxy" set utm-status enable set groups "MY_LDAP_Hi" next move 1 before 2 end
Once the above configuration is applied, the specific user can access Google Drive while others are still blocked from accessing drive.google.com. | 
