Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate LDAP config with OpenLDAP server



I am in a situation that I need to setup LDAPS connection towards OpenLDAP server that uses posix accounts and groups. Meaning it does not have memberOf attribute to check for user group memberships. This group checking would need to happen using gidNumber (group ID) from user data or from group data using memberUid attribute. Here is what I have been trying to get to work so far.


I have been trying to Google this for a couple of hours now how to do this.


A sample OpenLDAP structure:


- OU=department

- - OU=Users

- - - UID=timothy.tester

- - - UID=david.demo

- - -

- - - UID=mickey.mouse

- - OU=Groups

- - - CN=SMS

- - - CN=VPN

- - - CN=Others

- - uid=admin


SMS group has attributes as:


gidNumber=12345 (the group ID)




User Timothy Tester has attributes as:

objectClass posixAccount

displayName=Timothy Tester

uidNumber=11111 (user ID)

gidNumber=12345 (the group ID of SMS group)


userPassword= ...



VPN group has attributes as:


gidNumber=67890 (the group ID)




User David Demo has attributes as:

objectClass posixAccount

displayName=David Demo

uidNumber=22222 (user ID)

gidNumber=67890 (the group ID of VPNgroup)


userPassword= ...



What I am trying to do I am trying to setup SSLVPN login with these two LDAP groups SMS and VPN. How ever I am unable to fetch the group data correctly.


OpenLDAP config part:

config user ldap

    edit "OpenLDAP"         set server ""         set cnid "uid"         set dn "ou=department,dc=acme,dc=local"         set type regular         set username "uid=admin,dc=openldap,dc=lab"         set password ENC YCb6XWMMo...         set group-member-check posix-group-object         set secure ldaps         set port 636     next


User groups config part:

config user group

  edit "SMS group users"         set member "OpenLDAP"         config match             edit 1                 set server-name "OpenLDAP"                 set group-name "cn=SMS,ou=groups,ou=department,dc=acme,dc=local"             next         end


  edit "VPN group users"         set member "OpenLDAP"         config match             edit 1                 set server-name "OpenLDAP"                 set group-name "cn=VPN,ou=groups,ou=department,dc=acme,dc=local"             next         end



I have been playing with the OpenLDAP config and I have tried with "set group-member-check posix-group-object" and without it as well as with "set member-attr memberUid". I have been trying and trying without any success.


Any ideas how to solve the problem and make Fortigate to be able to read the group data correctly? Thank you in advance!


Running on version 6.0.5.

New Contributor



Reply comes delay, but hope this help people further.


Fnbamd helped me to figure out why the authentication failed:


diagnose debug enable
diagnose debug application fnbamd 255


Solution for openldap is use:

conf user ldap
edit <entity>

group-filter : (&(objectclass=posixgroup)(memberuid:=%u))


I found later old post with same configuration parameters for openldap:


You should also modify memberuid value in posix group in ldap. Don't use the username alone. Modification: