Here's brief LDAP authentication configuration example in raw format how it works for me. I'm pretty sure this can be done in few other ways.
1) I'm using built in LDAP server on my QNAP NAS and I'm not willing to modify the LDAP schema in any way so I'm using LDAP attributes provided by QNAP.
- I've created test user joe1 in LDAP
- since I want to authenticate based on group membership, I've used attribute "businessCategory" that was part of existing schema on QNAP due to the fact that I never use this attribute for anything else. More appropriate name for the attribute (if somebody is willing to modify the schema) would be "memberOf". Anyway, I'm using "businessCategory"
- now for group identifier I'm using keyword "vpn". So any user whom I want to give VPN access must be in businessCategory vpn.
2) then I add LDAP as AAA server. Note the group membership attribute "businessCategory"
3) now adding to the default auth method a group ldap
4) then I add external user used for vpn which I call vpn-user. Note the group identifier is "vpn"
5) then I create vpn-users group and make vpn-user it's member
6) and finally, I grant L2TP access only to vpn-users group
...and LDAP user joe1 can happily connect through L2TP VPN now
When I need to give another user L2TP capability then all I need is to add the new user to businessCategory vpn
This approach with some modifications should work for AD authentication as well.