SSL VPN with LDAP and AD security groups

I am using LDAP authentication with SSL-VPN on 4.0MR2. The way I have it, it' s a couple of steps: 1. In User->Remote->LDAP I query the OU, e.g., CN=Builtin,dc=example,dc=local 2. In User-User Group-User Group when you make the Firewall group to allow SSL-VPN access, you click Add for Remote authentication, select the LDAP server you created in step 1. Then there is a Group Name column which allows you to use a query to restrict access based on group membership. You use a Common Name Identifier to do so: e.g., cn=VPN Access Users,OU=Builtin,DC=example,DC=local. Hope this helps. I barely understand LDAP but I know this works. I have two LDAP server entries configured to check a common VPN user group against two different OUs. * The above example results in users logging in with their full name.

I' ll have another look at that as soon as I can. Do you have your security group in the same OU as the user objects? My AD OU structure looks like this: COMPANY-SecurityGroups -- Departments ---- Dept1 ---- Dept 2 -- Firewall -- Workflows ---- Workflow1 ---- etc COMPANY-Users -- Head Office ---- Level 1 ------ Dept1 ------ Dept1 ---- Level 2 ---- etc So the user objects live somewhere under COMPANY-Users and the security groups they belong to live under COMPANY-SecurityGroups. EDIT: when I browse the LDAP structure from within the firewall, I can browse down to the Firewall OU under COMPANY-SecurityGroups, but it says " 0 objects" .

Your setup is a lot more complicated than mine! However, I *think* it can still work, because the Remote LDAP you create calls the OU, and then you do an independent call against that same server to find a group associated with a member of that OU. This exhausts my knowledge of LDAP and AD scripting though, so I can' t contribute anymore help!

only hinting: - to query for user groups you need a dedicated LDAP account to which the FG authenticates first; then using these credentials it is able to search the tree - please do a search on " LDAP" on all forums here, there have been several discussions lately on this subject.

I' m making some progress. I think my problem is likely two-fold. Things I need to test: (1) the special user account I set up for LDAP searching from the Fortigate was a Schema Admin but not a Domain Admin, so I can change that; and (2) this KB article (http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD32359) describes using a special filter (&(objectcategory=group)(member=*)) I' ve been stuck fixing SSL VPN issues the past 48 hours, and the next couple of days I' m working on our DR plan ... as soon as I have that sorted I will get back to this and see if I can sort it out. Thanks for the help so far, much appreciated!

Hola! I had a problem when try to upgrade from 4.1.x to 4.2.2 with the LDAP servers. We had to upgrade because in 4.1.x we have only up to 10 LDAP server so up to 10 diferent groups and the customer want to configure more than 20 groups. In 4.2.2 we have create only a LDAP server and up to 100 user groups. Here you have to be spetial careful with the LDAP server user access priv. of the user because this user have to " see" the " memberof" attribute of each user that will use the auth access. I hope this help you. BR, Juan

I tried to post something detailed about how we got this working, but it timed out and the post was lost. Too much typing to do it again! If someone wants to email or PM me, I would be happy to send them some screen caps from our firewall config which show how we set it up. In summary though, the key was to: (a) set up AD user account with AD Schema query rights; (b) set up working LDAP connector at top level of our AD tree (see User, Remote, LDAP) which looks for " sAMAccountName" as Common Name Identifier; (c) set up User Group of type Firewall, which allows SSL-VPN Access (tickbox) and which connects to the LDAP server (see Remote Server section at bottom of page) and which uses Specify with the name of the security group which holds the list of user accounts you want to give access to (the name is the AD name of the security group: e.g. CN=groupname,OU=myOU,OU=etc)

There is a document entitled " SSL VPN authentication by Security Group using LDAP on Fortigate Firewall Appliances with 4.0 MR2" which is dated Dec 25 2010 ... our firewall consultant kindly gave me a printed copy ... this document can be viewed here: http://network-security-software.biz/software/ssl-vpn-authentication-by-security-group-using-ldap-on-fortigate-firewall-appliances-with-4-0-mr2.html That' s a step-by-step on setting it up.