How to configure admin users with remote server [LDAP] having the wildcard option enabled, avoiding individual admin accounts being setup on the FortiGate unit.
1. LDAP server CLI configuration.
|config user ldap
edit "ldap" //ldap account name
set server <ldap server ip>
set cnid "cn" // Can use saMAccountName too
set dn "DC=XYZ,DC=COM" //root DN
set type regular
set username "CN=Administrator,CN=Users,DC=XYZ,DC=COM" // domain administrator account to bind and search
set password * //administrator password
set group "CN=GRP,OU=X,DC=XYZ,DC=COM" //group binding, so that you can allow only a group to access
set filter '' //don't use any filter here for this scenario
2. Create User group and make this LDAP server a member of it.
3. Configure the administrator account as follows.
|config system admin
set remote-auth enable //enabling remote auth mode
set accprofile "super_admin" // access profile
set wildcard enable // this will allow all group members to login to FGT, no need to create other account for each user
set remote-group "ldap" //User group which has the LDAP server as member