Skip to main content
ibituya
Staff
ibituya
Staff
October 31, 2024

Troubleshooting Tip: LDAP Troubleshooting using 'diagnose test authserver ldap' and 'diagnose test authserver ldap-search' commands

  • October 31, 2024
  • 0 replies
  • 5716 views

Description

This article describes how to troubleshoot and verify LDAP users and groups using the 'diagnose test authserver' commands.

Scope

FortiGate.

Solution

To verify if LDAP user authentication is successful and fetching the correct user group membership, run the following command:

 

diagnose test authserver ldap <ldap_server_name> <username> <password>

 

Example:

The LDAP server is configured on the FortiGate as follows:

 

config user ldap
    edit "WINSERVER-AD"
        set server "10.0.0.1"
        set cnid "sAMAccountName"
        set dn "ou=FortiGate,dc=winserver,dc=lab"
        set type regular
        set username "WINSERVER\\fgt.svc"
        set password ENC [masked]
    next
end


Run the below command to verify if LDAP user authentication is successful and pull the correct group membership:


 diagnose test authserver ldap WINSERVER-AD fgt.svc Passw0rd!

 

1.PNG

 

To search for LDAP object(s), such as the list of users in a group given an LDAP filter, use the following command:

 

diagnose test authserver ldap-search <server ip> <port> <dn> <cn> <user> <password> <secure: 0,1,2> <filter> <flag: 1,2> <page_no> 


The <secure> option controls the protocol, LDAP, STARTTLS, or LDAPS. The options are specified with the following numbers:

0= ldap, 1= STARTTLS, 2=LDAPS


0: No encryption. The connection to the LDAP server is not encrypted.

1: StartTLS. The connection begins unencrypted and then upgrades to a secure connection using TLS.

2: LDAPS. The connection is encrypted from the start using SSL/TLS.


The <flag> option controls the scope of the search:

0: Base object only (search just the exact DN specified).

1: One level (only immediate children of the base DN).

2: Subtree (search the entire directory tree under the base DN).

The <page_no> option controls the results that are displayed. Each page displays 1000 entries. To view the next 'page' or 1000 entries, the 'page' number needs to be entered. The first page is '0' or blank, the second page is '1', the third page is '2', etc.


Example: 

  1. LDAP search filter to search for members of the LDAP group "FortiGate Group" is given as follows:

 

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=FTC Users,ou=FortiGate,dc=winserver,dc=lab))

 

Run the below command to list the result of the given LDAP filter:

 

diagnose test authserver ldap-search 10.0.0.1 389 "ou=FortiGate,dc=winserver,dc=lab" cn fgt.svc@winserver.lab Passw0rd! 0 '(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=FortiGate Group,ou=FortiGate,dc=winserver,dc=lab))' 2

 

2.PNG

 

  1. LDAP search filter to search for all users with matching "fortinet" in the email address:

     

(&(sAMAccountName=*)(mail=*fortinet*))

 

Run the below command to list the result of the given LDAP filter:

 

diagnose test authserver ldap-search 10.0.0.1 389 "ou=FortiGate,dc=winserver,dc=lab" cn fgt.svc@winserver.lab Passw0rd! 0 '(&(sAMAccountName=*)(mail=*fortinet*))' 2

 

3.PNG

 

Related article:

Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd

      Terms & ConditionsAccessibility statement