Here is the quick and dirty boiled down to 3 steps. There are more but Fortinet wrote a good guide on user auth so I' ll keep mine to just 3 steps. ;-)
One thing to note first: We firewall traffic to various interfaces but we only require authentication to the Internet. Traffic to the internet will show the username but traffic to other interfaces will not. I still use IP' s to track those.
1.) In your FGT, go to User>Remote>LDAP and create the settings for your LDAP server. I' ve got 4 of 5 listed in mine....each used for a different WinAD box. We used to use Novell so I had a few in there too and they worked fine. Give it name, point it to the ldap server name or IP, port and then some other basic LDAP info is required. CN Identifier, DN, etc. If your LDAP is open, you can do an anonymous bind or a simple bind. Ours is closed and requires a username/password/CA Cert to connect so you need those too. The username has to be in Fully Qualified notation and the CA cert needs to be installed in the CA section under System>Certificates. Once it' s working properly you should be able to click on Test and then the folder icon next to DN and walk the tree. If you can' t then you have settings wrong and need to keep at it until it works. See example below.
2.) Create a Group (Users>Group) pointing to th the " Remote" server. This is pretty easy until you start messing with Groups in your LDAP. Then, for me since I' m not an LDAP/AD expert, I got it working via the trial-error method. Again, more example below.
3.) The final step is creating an Identity Based Policy (Policy>policy) and pointing it to the Group you just created. See below.
LDAP Server:
Group:
Policy:
If you do SSL VPN and want to use LDAP to auth, you do the same steps but under Group you check the Allow SSL-VPN Access and select the SSLVPN portal you hopefully already built.
-TJ