The documentation was pretty inaccurate/unclear on a lot of this, so there was a bit of trial and error. This assumes you're already familiar with setting up SSL VPN and already have it working with local user accounts. Here's how you do it:
Pre-requisites
- You need your SSL VPN portal and settings configured already
- You should also have already created your SSL VPN policy (allowing from the SSL VPN interface to your LAN)
- The above requires you to add a user or group already, you can re-use that group for the items below if desired
Set up LDAP Server
I'm using Active Directory, but you can use any LDAP based directory service. The example below assumes your AD domain is domain.local.
- Navigate to User & Device > LDAP Server
- Add a new server and enter the settings:
- Name: this is the friendly name, i usually just put the hostname in
- Server IP: obvious
- Server Port: leave this default unless you know what you're doing
- Common Name Identifier: This defaults to CN, which means Common Name. This is dumb. Your users are not going to log in as "Bob Smith", they're going to log in as bsmith or bsmith@domain.com. Set this to userprincipalname if you want them to use their UPN (username@domain.com) or maybe samaccountname if you want them to just use their username.
- Distinguished Name: You can't use the Browse button until you fill out the rest of this page, but this can just be DC=domain,DC=local. Note: if you choose to scope this further than the domain as listed, your group (in the next section) must be in scope.
- Bind Type: Regular
- Username/Password: You can start off with a domain admin for testing, but ultimately you should create an unprivileged service account to use here
- Secure Connection/Protocol: I used secure and selected LDAPS. If you don't have LDAPS then don't use it.
- At this point you should be able to Test Connectivity and get a success.
Set up your group
- In Active Directory, create a group and add users to it. I called mine SSL VPN Users
- In the Fortigate, navigate to User & Device > User Groups
- Click on Create New
- Name the group the same as you created in AD (this isn't important, just a friendly name)
- Select Firewall as the type
- Under the Remote Groups section, click Add, select your LDAP server, and then search/select your group.
- Important: You have to right click on it and select Add Selected. After that, hit OK, not before.
- Hit OK again to save the group
- Configure your SSL VPN firewall policy to use this group for authentication
Testing
At this point you should be done, because you already set up your SSL VPN, right? You should be able to log in as the user now, you can go to Log & Report > VPN Events to see what the error is if you're not able to log in. You can also use the command diag test authserver ldap "YOUR LDAP SERVER NAME" youraccount@domain.com yourpassword to do a direct test.