Chapter 3 Authentication for FortiOS 5.0 : Authentication servers : LDAP servers : Example of LDAP to allow Dial-in through member-attribute - CLI : Configuring LDAP member-attribute settings
  
Configuring LDAP member-attribute settings
To accomplish this with a FortiGate unit, the member attribute must be set. Setting member attributes can only be accomplished through the CLI using the member-attr keyword - the option is not available through the web-based manager.
Before configuring the FortiGate unit, the AD server must be configured and have the msNPAllowDialin attribute set to TRUE for the users in question. If not, those users will not be able to properly authenticate.
The dn used here is as an example only. On your network use your own domain name.
To configure user LDAP member-attribute settings - CLI
config user ldap
edit "ldap_server"
set server "192.168.201.3"
set cnid "sAMAccountName"
set dn "DC=fortinet,DC=com,DC=au"
set type regular
set username "fortigate@example.com"
set password ******
set member-attr "msNPAllowDialin"
next
end