Technical Tip: Cannot contact LDAP server after upgrading to v6.6.x
| Description | This article describes that after upgrading to v6.6.x, connection to the LDAP server cannot be established. |
| Scope | FortiAuthenticator v6.6.x. |
| Solution | After upgrading to v6.6, the following error can appear in the RADIUS_Authentication log:
facauth: ERROR: fac_ldap_connect() failed: ldap_simple_bind_s failed: Can't contact LDAP server error:0A000086:SSL routines::certificate verify failed (CA signature digest algorithm too weak). facauth: Remote LDAP user authentication failed facauth: ERROR: fac_ldap_connect() failed: fac_ldap_connect() failed: all servers have cached state: down
The signature hash algorithm can be checked directly in the certificate. In the below example, it is SHA-1 (Secure Hashing Algorithm):
Or with the openssl command:
openssl x509 -in certificate-name.crt -noout -text | grep "Signature Algorithm"
Solution: This is because the SHA-1 cryptographic algorithm is not supported in v6.6.x because of security reasons. It is recommended to use SHA-2 or above to avoid this error.
A new certificate should be created for LDAP/LDAPS with a higher hash algorithm, import the RootCA to FortiAuthenticator, and check the connection again. If this is not possible in the environment, then the previous version should be used.
Note: The chain of trust should also not contain weaker algorithms, which include intermediate certificates and root certificates Taking a packet capture will help to verify the chain of trust. Below is the snippet for example:
Frame 27: 2436 bytes on wire (19488 bits), 2436 bytes captured (19488 bits) Ethernet II, Src: ___ Internet Protocol Version ___ Transmission Control Protocol, Src Port: 585, Dst Port: 33626, Seq: 1, Ack: 328, Len: 2382 signature (sha1WithRSAEncryption) --->
Related document: |
