| Authentication fails when the Remote LDAP user attempts to log in, and the following error appears in the FortiAuthenticator logs: 'Remote LDAP user authentication from (null) with no token failed: invalid password.' The user has been successfully imported from GWS LDAP into FortiAuthenticator, and the password used is confirmed to be correct.
The RADIUS debug logs show the following error when a remote LDAP user attempts to authenticate but fails.
Radius debug can be taken as below: https://<FAC IP>/debug/radius/ 2025-04-15T17:13:01.137924+05:30 AL-FortiAuthenticator radiusd[12971]: (10138) facauth: LDAP user found: test
2025-04-15T17:13:02.577768+05:30 AL-FortiAuthenticator radiusd[12971]: (10138) facauth: Try to bind with DN: uid=test,ou=MDM COD,ou=allen.in,ou=Users,dc=allen,dc=in
2025-04-15T17:13:04.285672+05:30 AL-FortiAuthenticator radiusd[12971]: (10138) facauth: ERROR: ERROR: ldap_simple_bind_s() failed, error:Insufficient access
2025-04-15T17:13:04.285695+05:30 AL-FortiAuthenticator radiusd[12971]: (10138) facauth: Remote LDAP user authentication failed
2025-04-15T17:13:04.285703+05:30 AL-FortiAuthenticator radiusd[12971]: update_user_lockout: fail_count=0 locking_period=-1 locking_reason=-1
2025-04-15T17:13:04.285745+05:30 AL-FortiAuthenticator radiusd[12971]: (10138) facauth: Updated auth log 'test@allen.in' for attempt from 10.x.x.x: Remote LDAP user authentication from (null) with no token failed: invalid password
The issue needs to be investigated on the LDAP server, as the 'Insufficient Access' error indicates that the server is rejecting the operation due to a lack of necessary permissions. This typically happens when the operation is attempted using a DN (Distinguished Name) that doesn't have adequate privileges. To resolve this, the required permissions must be granted on the LDAP server.
After the LDAP server grants the necessary privileges, the binding should complete successfully, allowing the user to authenticate without issues. 2025-04-16T15:08:39.538481+05:30 AL-FortiAuthenticator radiusd[12971]: (62021) facauth: LDAP user found: test
2025-04-16T15:08:40.913694+05:30 AL-FortiAuthenticator radiusd[12971]: (62021) facauth: Try to bind with DN: uid=test,ou=MDM COD,ou=allen.in,ou=Users,dc=allen,dc=in
2025-04-16T15:08:42.231197+05:30 AL-FortiAuthenticator radiusd[12971]: (62021) facauth: Binding successful
2025-04-16T15:08:42.231208+05:30 AL-FortiAuthenticator radiusd[12971]: (62021) facauth: Remote LDAP user password authenticated
2025-04-16T15:08:42.231868+05:30 AL-FortiAuthenticator radiusd[12971]: (62021) facauth: Matched NAS groups (user list groups): 1
2025-04-16T15:08:42.232164+05:30 AL-FortiAuthenticator radiusd[12971]: (62021) facauth: NAS groups (LDAP filter groups): 0
2025-04-16T15:08:42.232174+05:30 AL-FortiAuthenticator radiusd[12971]: (62021) facauth: Authentication OK
2025-04-16T15:08:42.232177+05:30 AL-FortiAuthenticator radiusd[12971]: (62021) facauth: Setting 'Post-Auth-Type := FACAUTH'
2025-04-16T15:08:42.232243+05:30 AL-FortiAuthenticator radiusd[12971]: (62021) facauth: Updated auth log 'test@allen.in' for attempt from 10.x.x.x: Remote LDAP user authentication from (null) with no token successful Related article: Troubleshooting Tip: How to debug FortiAuthenticator Services | 
