Technical Tip: Users unable to connect FortiClient after Implement the fix for CVE-2019-5591

# config user ldap

    edit "LDAP"

        set server-identity-check enable

    end

Solution

Procedure to collect the packet capture.

# diag sniffer packet any 'host <LDAPS_IP> and port <LDAPS_port>'' 6 0 l

Tried to connect to SSLVPN with set server-identity-check enabled.

To stop the sniffer, press 'CTRL + C'.

From the PCAP, the LDAPS server certificate in the subject should contains hostname 'ldap.example.com'.

Once the hostname has been identified, change the LDAP server from IP address to FQDN and enable 'server-identity-check', 

# config user ldap

    edit "LDAP"

        set server "Certificate_Hostname"

        set server-identity-check enable

end

NOTE.

Make sure, that the FQDN for the certificate hostname can be resolved by the configured DNS servers.