The FortiGate can connect with the LDAP Server using the Global Catalog (GC) port. These ports are used to authenticate users from multiple child domains within a single forest, as the Global Catalog provides a forest-wide view of all objects. Port 3268 are used for Standard (unencrypted) Global Catalog queries and Port 3269 are used for Secure (SSL/TLS encrypted) Global Catalog queries.
edit <ldap‑name>
set server 10.30.0.99
set cnid "userPrincipalName"
set port 3268 <-- **problem** (GC port)
next
The LDAP bind succeeded, but the subsequent modify (password change) request was sent to the Global Catalog (GC) port.
The issue was identified by running the following debug commands given below on the Fortigate while the user was trying to connect to the SSL VPN.
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose vpn ssl debug-filter src-addr4 "PUBLIC-IP-ADDRESS-OF-ENDPOINT-MACHINE"
diagnose debug enable
[1809] fnbamd_ldap_resume-LDP-Server-LDAPS:, addr 192.168.10.20
[986] __ldap_rxtx-state 19(Change password)
[1083] fnbamd_ldap_send-sending 126 bytes to 192.168.10.20
[1096] fnbamd_ldap_send-Request is sent. ID 5
[986] __ldap_rxtx-state 20(Change password resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 110
[1306] fnbamd_ldap_recv-Response len: 112, svr: 192.168.10.20
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:modify
[1009] fnbamd_ldap_parse_response-Error 53 (00002035: LdapErr: DSID-0C091297, comment: Operation not allowed through GC port, data 0, v4f7c)
[1023] fnbamd_ldap_parse_response-ret=53
[785] __ldap_done-svr 'LDP-Server-LDAPS'
[755] __ldap_destroy-
[724] __ldap_stop-Conn with 192.168.10.20 destroyed.
[209] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 228684624, len=2548
[808] destroy_auth_session-delete session 228684624
The connection to the LDAP server at 192.168.10.20 is established for a password change operation. The logs show a password change request being sent: ([1083]fnbamd_ldap_send-sending 126 bytes to 192.168.10.20) The response from the LDAP server indicates an error with code 53: ([1009]fnbamd_ldap_parse_response-error 53). The error message suggests that the operation is not allowed through the Global Catalog (GC) port: ([1009]operation not allowed through gc port)
GC does not allow write operations, so the server returns error 53 and FortiGate ultimately returns sslvpn_login_permission_denied.
If the set port is 3268/3269, change it to 389 (LDAP) or 636 (LDAPS).
config user ldap
edit <ldap‑name>
set port 636 # or 389 for plain LDAP
next
end
After making the change, the password change request will work.
| 
