FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description When configuring LDAP authentication on FortiGate, the 'ldap-memberof' attribute can be used to check the user group membership to grant access accordingly.
config user group edit "first" set group-type sslvpn set ldap-memberof "CN=first,OU=Groups,DC=testlab,DC=com" set member "my-ldap-server" set sslvpn-portal "testportal" next end
This will work, except for users that are only members of one group in Active Directory.
The "memberof" attribute of the LDAP user is only populated with groups to which the user belongs to, except the user Primary Group. This is why, when the user is only member of its Primary Group, the FortiGate LDAP authentication will fail after receiving empty member-of query result.
Workaround As a workaround, an additional group membership should be added to the LDAP user and this group has to be set Primary group in Active Directory.