FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article concerns LDAP authentication when groups are nested.

For example, User group DN is binded with:

CN=VPN, OU=Group, OU=1-Main Organization, DC=example, DC=local

and the actual user 'TestUser' belongs to another group, say 'IT Group' where 'IT Group' is a member of VPN group.

When the user tries to login to sslvpn webportal using 'TestUser', authentication will be denied, and the message on the SSLVPN debug would be:
"Auth failed due to group restrictions"
The actual user group DN will be shown.

When trying to login from the FortiGate CLI console, authentication succeeds.

Configure the following commands on the LDAP, it should be allow all the nested group information to be retrieved.
config user ldap
edit "example.local"
set group-member-check user-attr
set search-type nested

A query from the FortiGate CLI console should now show the nested group correctly.