Quick Note on Firmware Version v4.0.2,build0099,090407
The “User DN†must be in the following format.
user@domain.com
not
user
As the example shows.
Other than that this readme works 100%
Pay close attention to what S0crates, Jesús Cambera, and laf have said.
The following is my working config
config user ldap
edit " SSL Admins Group"
set server " 192.168.10.10" <-- IP address of my Active Directory Domain Controller
set cnid " sAMAccountName"
set dn " OU=Users,OU=remote,DC=company,DC=com"
set type regular
set username " fortigate@company.com" <-- Must have @company.com on the username
set password qwerty
set group " CN=SSL-Admins,OU=Security Groups,OU=remote,DC=company,DC=com"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=tririga,DC=com)(member=*))"
next
edit " SSL Users Group"
set server " 192.168.10.10" <-- IP address of my Active Directory Domain Controller
set cnid " sAMAccountName"
set dn " OU=Users,OU=remote,DC=company,DC=com"
set type regular
set username " fortigate@company.com" <-- Must have @company.com on the username
set password qwerty
set group " CN=SSL-Users,OU=Security Groups,OU=remote,DC=company,DC=com"
set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=tririga,DC=com)(member=*))"
next
end
Test using laf' s example
diagnose test authserver ldap <server_name> <username> <password>
diagnose test authserver ldap " SSL Admins Group" testUser qwerty <-- no @company.com on the username
On the SSL VPN Client you only need the username without the @company.com to login.
Note: Do not test with a user that has a ( ? ) in the password.
2 x 310B
v4.0,build0272,100331 (MR2)
HA ( Active Passive )